Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

nRGKqzVQRt.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nRGKqzVQRt.exe_96cca49e4bf4c34aa7c2fc23543654f721481d5_34ddec4d_08310f16-b122-4177-906b-6fa498f8123b\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nRGKqzVQRt.exe_a79f8132bcca3db4bb8567b6b2e85625dcb38718_34ddec4d_bbfd8e7e-5e70-4d31-a4e6-19ea7dc199a6\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nRGKqzVQRt.exe_b852f8d9db928673607680cdcdacfddad4b1959_34ddec4d_05259ca6-5fda-47fb-ab1d-47161bf9fb00\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nRGKqzVQRt.exe_b852f8d9db928673607680cdcdacfddad4b1959_34ddec4d_8abba573-3b10-4949-bccc-6f9c0a241678\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nRGKqzVQRt.exe_b852f8d9db928673607680cdcdacfddad4b1959_34ddec4d_c90bd162-8e24-4dab-882c-185572e12616\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nRGKqzVQRt.exe_b852f8d9db928673607680cdcdacfddad4b1959_34ddec4d_c90fdb66-40d1-4f87-8995-8ec3b1052dc7\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nRGKqzVQRt.exe_b852f8d9db928673607680cdcdacfddad4b1959_34ddec4d_d5e694f9-d00b-44c6-955c-c0802dc13cf9\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nRGKqzVQRt.exe_b852f8d9db928673607680cdcdacfddad4b1959_34ddec4d_edc95a15-6c1f-41e1-bf28-6f154e4f01fb\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

modified

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\soft[1]

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\dll[1]

PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\DV9E5wt3wGZ3\Bunifu_UI_v1.5.3.dll

PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\DV9E5wt3wGZ3\Y-Cleaner.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER206B.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Oct 8 02:24:04 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2137.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2167.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER233A.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Oct 8 02:24:05 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER23F6.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2416.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER25D9.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Oct 8 02:24:05 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2638.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2658.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER29A2.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Oct 8 02:24:06 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A20.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A50.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DC9.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Oct 8 02:24:07 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E47.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E67.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3069.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Oct 8 02:24:08 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER30F6.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3193.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERADC6.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Oct 8 02:24:40 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAEE1.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF10.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9AD.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Oct 8 02:24:43 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA2B.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA5B.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\key[1].htm

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\download[1].htm

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\name[1].htm

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\add[1].htm

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\download[1].htm

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\fuckingdllENCR[1].dll

data

dropped

C:\Users\user\Desktop\Cleaner.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Tue Oct 8 01:24:39 2024, mtime=Tue Oct 8 01:24:39 2024, atime=Tue Oct 8 01:24:39 2024, length=1502720, window=hide

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

There are 35 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\nRGKqzVQRt.exe

"C:\Users\user\Desktop\nRGKqzVQRt.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3212
Target ID:	0
Parent PID:	4004
Name:	nRGKqzVQRt.exe
Path:	C:\Users\user\Desktop\nRGKqzVQRt.exe
Commandline:	"C:\Users\user\Desktop\nRGKqzVQRt.exe"
Size:	465920
MD5:	75C689774E5B58A3C4CED392928B6053
Time:	22:24:01
Date:	07/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	536576
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 732

Details

Is windows:	true
Is dropped:	false
PID:	3160
Target ID:	4
Parent PID:	3212
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 732
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	22:24:04
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa60000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 772

Details

Is windows:	true
Is dropped:	false
PID:	2304
Target ID:	6
Parent PID:	3212
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 772
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	22:24:04
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa60000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 772

Details

Is windows:	true
Is dropped:	false
PID:	5936
Target ID:	9
Parent PID:	3212
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 772
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	22:24:05
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa60000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 792

Details

Is windows:	true
Is dropped:	false
PID:	4412
Target ID:	11
Parent PID:	3212
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 792
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	22:24:06
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa60000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 528

Details

Is windows:	true
Is dropped:	false
PID:	1372
Target ID:	13
Parent PID:	3212
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 528
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	22:24:07
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa60000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1016

Details

Is windows:	true
Is dropped:	false
PID:	3524
Target ID:	15
Parent PID:	3212
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1016
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	22:24:08
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa60000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1468

Details

Is windows:	true
Is dropped:	false
PID:	4184
Target ID:	19
Parent PID:	3212
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1468
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	22:24:40
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa60000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1292

Details

Is windows:	true
Is dropped:	false
PID:	5788
Target ID:	22
Parent PID:	3212
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1292
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	22:24:43
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa60000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://80.66.75.114/dll/key

80.66.75.114

http://80.66.75.114/dll/downloadG

unknown

http://80.66.75.114/files/download

80.66.75.114

http://80.66.75.114/dll/download

80.66.75.114

https://g-cleanit.hk

unknown

http://upx.sf.net

unknown

http://80.66.75.114/dll/downloadC

unknown

http://80.66.75.114/soft/download

80.66.75.114

http://80.66.75.114/dll/key%S

unknown

http://80.66.75.114/name

80.66.75.114

http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174

unknown

http://80.66.75.114/add?substr=mixnine&s=three&sub=NOSUB

80.66.75.114

https://iplogger.org/1Pz8p7

unknown

http://80.66.75.114/name5o1

unknown

http://80.66.75.114/soft/download?

unknown

There are 5 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

80.66.75.114

unknown

Russian Federation

Details

IP:	80.66.75.114
TargetID:	0
Current Path:	C:\Users\user\Desktop\nRGKqzVQRt.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	20803
ASN name:	RISS-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking