Loading ...

Play interactive tourEdit tour

Windows Analysis Report W7UbgU8x18

Overview

General Information

Sample Name:W7UbgU8x18 (renamed file extension from none to exe)
Analysis ID:528611
MD5:01f140fea9669403791fb89c47138d69
SHA1:c4278cf25da52adc05f4d2161a11c7b96928ccea
SHA256:f135fdb20bb785afb947173d0bbfdfedd1ce5b8c4907f6aa37e9a9a706d8a1db
Tags:32AgentTeslaexetrojan
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • W7UbgU8x18.exe (PID: 5644 cmdline: "C:\Users\user\Desktop\W7UbgU8x18.exe" MD5: 01F140FEA9669403791FB89C47138D69)
    • conhost.exe (PID: 1768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • aspnet_regbrowsers.exe (PID: 408 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe MD5: B490A24A9328FD89155F075FA26C0DEC)
    • aspnet_regbrowsers.exe (PID: 4896 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe MD5: B490A24A9328FD89155F075FA26C0DEC)
    • WerFault.exe (PID: 6380 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5644 -s 1396 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "oazahotel@oazahotel.com.mk", "Password": "Oazah2020", "Host": "odin.mk-host.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.249733386.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000000.249733386.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.307259101.00000000038AA000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.307259101.00000000038AA000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000002.00000000.250374714.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.0.aspnet_regbrowsers.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.0.aspnet_regbrowsers.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.W7UbgU8x18.exe.3938940.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.W7UbgU8x18.exe.3938940.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    2.0.aspnet_regbrowsers.exe.400000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 19 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.0.W7UbgU8x18.exe.3938940.7.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "oazahotel@oazahotel.com.mk", "Password": "Oazah2020", "Host": "odin.mk-host.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: W7UbgU8x18.exeVirustotal: Detection: 35%Perma Link
                      Source: W7UbgU8x18.exeReversingLabs: Detection: 28%
                      Machine Learning detection for sampleShow sources
                      Source: W7UbgU8x18.exeJoe Sandbox ML: detected
                      Source: 2.0.aspnet_regbrowsers.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.aspnet_regbrowsers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.aspnet_regbrowsers.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.aspnet_regbrowsers.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.2.aspnet_regbrowsers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.aspnet_regbrowsers.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: W7UbgU8x18.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb""9s source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000A.00000003.284964542.00000000054D1000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.270613865.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270476484.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.283477132.000000000501C000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270318610.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271099127.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270669562.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270533710.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271835064.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270427827.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.285168837.00000000054D0000.00000004.00000040.sdmp
                      Source: Binary string: tuneraidfix.pdb" source: WerFault.exe, 0000000A.00000003.284964542.00000000054D1000.00000004.00000040.sdmp
                      Source: Binary string: t.pdb source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: cfgmgr32.pdb, source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.271728501.0000000003125000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270300201.0000000003125000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: ore.ni.pdb" source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb6 source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: fixedhost.pdb\ source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 0000000A.00000003.285168837.00000000054D0000.00000004.00000040.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\exe\tuneraidfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.271474632.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270327702.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270696517.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271114110.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\tuneraidfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3|n source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\Administrator\Desktop\Builder\stub\1605780553\un_priv\tuneraidfix\obj\Release\tuneraidfix.pdb source: W7UbgU8x18.exe
                      Source: Binary string: fixedhost.pdbMZ@ source: WER343.tmp.dmp.10.dr
                      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Z.pdb source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WER343.tmp.dmp.10.dr
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb* source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: tuneraidfix.pdb4 source: WER343.tmp.dmp.10.dr
                      Source: Binary string: mscorlib.pdb source: W7UbgU8x18.exe, 00000000.00000000.256471113.00000000028DD000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: C:\Windows\tuneraidfix.pdbpdbfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.285188895.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284978604.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285080721.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000A.00000003.270318610.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271099127.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270669562.0000000003131000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER343.tmp.dmp.10.dr
                      Source: Binary string: C:\Users\Administrator\Desktop\Builder\stub\1605780553\un_priv\tuneraidfix\obj\Release\tuneraidfix.pdbP source: W7UbgU8x18.exe, 00000000.00000000.256076792.0000000000C18000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000002.302604429.0000000000C18000.00000004.00000020.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WER343.tmp.dmp.10.dr
                      Source: Binary string: C:\Users\user\Desktop\W7UbgU8x18.PDB source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: winhttp.pdbW source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: t.pdb" source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WER343.tmp.dmp.10.dr
                      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: W7UbgU8x18.PDB source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: t.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdbK source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.285168837.00000000054D0000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: lC:\Users\user\Desktop\tuneraidfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: tuneraidfix.pdb source: WerFault.exe, 0000000A.00000003.284964542.00000000054D1000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: C:\Users\Administrator\Desktop\Builder\stub\1605780553\un_priv\tuneraidfix\obj\Release\tuneraidfix.pdb:8 source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb; source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: D .pdb source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000A.00000003.271728501.0000000003125000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270300201.0000000003125000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.285168837.00000000054D0000.00000004.00000040.sdmp
                      Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER343.tmp.dmp.10.dr
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.pdbMZ source: WER343.tmp.dmp.10.dr
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: System.pdb source: W7UbgU8x18.exe, 00000000.00000000.256471113.00000000028DD000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.284964542.00000000054D1000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: tuneraidfix.pdb<qA source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: fixedhost.pdb source: W7UbgU8x18.exe, 00000000.00000000.261864579.0000000002860000.00000004.00020000.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: System.Core.pdbq source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\tuneraidfix.pdb] source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.285168837.00000000054D0000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000A.00000003.271474632.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270327702.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270696517.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271114110.0000000003137000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbk source: WerFault.exe, 0000000A.00000003.285188895.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284978604.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285080721.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: System.Xml.ni.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Zsymbols\exe\tuneraidfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: l8C:\Windows\tuneraidfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdbi source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284964542.00000000054D1000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: cryptbase.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Joe Sandbox ViewASN Name: 24SHELLSUS 24SHELLSUS
                      Source: global trafficHTTP traffic detected: GET /token_ta992i.txt HTTP/1.1Host: 194.85.248.219Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /publickey.txt HTTP/1.1Host: 194.85.248.219
                      Source: global trafficHTTP traffic detected: GET /token_ta992i.txt HTTP/1.1Host: 194.85.248.219
                      Source: global trafficHTTP traffic detected: GET /publickey.txt HTTP/1.1Host: 194.85.248.219
                      Source: Joe Sandbox ViewIP Address: 209.205.200.74 209.205.200.74
                      Source: global trafficTCP traffic: 192.168.2.5:49817 -> 209.205.200.74:587
                      Source: global trafficTCP traffic: 192.168.2.5:49817 -> 209.205.200.74:587
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: W7UbgU8x18.exe, 00000000.00000002.303285101.0000000002881000.00000004.00000001.sdmpString found in binary or memory: http://194.85.248.219
                      Source: W7UbgU8x18.exe, 00000000.00000002.303457973.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: http://194.85.248.219/publickey.txt
                      Source: W7UbgU8x18.exe, 00000000.00000000.256041961.0000000000BF9000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000002.303285101.0000000002881000.00000004.00000001.sdmpString found in binary or memory: http://194.85.248.219/token_ta992i.txt
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.520908081.0000000006CC0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.519514145.000000000358E000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.516444584.00000000013E1000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.516444584.00000000013E1000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.519514145.000000000358E000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.516444584.00000000013E1000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.519514145.000000000358E000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.520908081.0000000006CC0000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.516444584.00000000013E1000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: WerFault.exe, 0000000A.00000002.300722840.0000000004F20000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.519418805.000000000354A000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000003.465831512.00000000011A4000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.519494646.0000000003588000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmpString found in binary or memory: http://m3kI8gc4jNB3oWFQtMC.org
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.519514145.000000000358E000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.516444584.00000000013E1000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.519514145.000000000358E000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.520908081.0000000006CC0000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.516444584.00000000013E1000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com01
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.519514145.000000000358E000.00000004.00000001.sdmpString found in binary or memory: http://odin.mk-host.com
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmpString found in binary or memory: http://sGexjS.com
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                      Source: W7UbgU8x18.exe, 00000000.00000002.303285101.0000000002881000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                      Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.519514145.000000000358E000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.520908081.0000000006CC0000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.516444584.00000000013E1000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: W7UbgU8x18.exe, 00000000.00000002.307259101.00000000038AA000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000000.249733386.0000000000402000.00000040.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000000.249428029.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: odin.mk-host.com
                      Source: global trafficHTTP traffic detected: GET /token_ta992i.txt HTTP/1.1Host: 194.85.248.219Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /publickey.txt HTTP/1.1Host: 194.85.248.219
                      Source: global trafficHTTP traffic detected: GET /token_ta992i.txt HTTP/1.1Host: 194.85.248.219
                      Source: global trafficHTTP traffic detected: GET /publickey.txt HTTP/1.1Host: 194.85.248.219
                      Source: W7UbgU8x18.exe, 00000000.00000000.261051389.0000000000B7A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 2.0.aspnet_regbrowsers.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b51F4FAD8u002dC68Cu002d48D5u002d8048u002dB546FD1BA033u007d/BD7250DBu002dF98Du002d47A7u002d866Cu002d6BD9A3781D1C.csLarge array initialization: .cctor: array initializer size 11957
                      Source: 2.0.aspnet_regbrowsers.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b51F4FAD8u002dC68Cu002d48D5u002d8048u002dB546FD1BA033u007d/BD7250DBu002dF98Du002d47A7u002d866Cu002d6BD9A3781D1C.csLarge array initialization: .cctor: array initializer size 11957
                      Source: 2.0.aspnet_regbrowsers.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b51F4FAD8u002dC68Cu002d48D5u002d8048u002dB546FD1BA033u007d/BD7250DBu002dF98Du002d47A7u002d866Cu002d6BD9A3781D1C.csLarge array initialization: .cctor: array initializer size 11957
                      Source: 2.0.aspnet_regbrowsers.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b51F4FAD8u002dC68Cu002d48D5u002d8048u002dB546FD1BA033u007d/BD7250DBu002dF98Du002d47A7u002d866Cu002d6BD9A3781D1C.csLarge array initialization: .cctor: array initializer size 11957
                      Source: 2.2.aspnet_regbrowsers.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b51F4FAD8u002dC68Cu002d48D5u002d8048u002dB546FD1BA033u007d/BD7250DBu002dF98Du002d47A7u002d866Cu002d6BD9A3781D1C.csLarge array initialization: .cctor: array initializer size 11957
                      Source: 2.0.aspnet_regbrowsers.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b51F4FAD8u002dC68Cu002d48D5u002d8048u002dB546FD1BA033u007d/BD7250DBu002dF98Du002d47A7u002d866Cu002d6BD9A3781D1C.csLarge array initialization: .cctor: array initializer size 11957
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5644 -s 1396
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_02721B000_2_02721B00
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_0272A0900_2_0272A090
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_02723D400_2_02723D40
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_027271C00_2_027271C0
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_027271BC0_2_027271BC
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_027247700_2_02724770
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_0272476B0_2_0272476B
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_0272D5180_2_0272D518
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_02723D0F0_2_02723D0F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_0169B7482_2_0169B748
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_01696BE02_2_01696BE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_016B00402_2_016B0040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_016B33F82_2_016B33F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_016B89602_2_016B8960
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_016B0CF02_2_016B0CF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_016B00062_2_016B0006
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_018248002_2_01824800
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_018281C02_2_018281C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_018247102_2_01824710
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_0182D6D02_2_0182D6D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_0646059E2_2_0646059E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_0646B2082_2_0646B208
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464B882_2_06464B88
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_064699082_2_06469908
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_064676B02_2_064676B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_0646E5882_2_0646E588
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_064653D02_2_064653D0
                      Source: W7UbgU8x18.exeBinary or memory string: OriginalFilename vs W7UbgU8x18.exe
                      Source: W7UbgU8x18.exe, 00000000.00000002.307259101.00000000038AA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameuaAFllYGbTewxRVnYOHBNjJG.exe4 vs W7UbgU8x18.exe
                      Source: W7UbgU8x18.exe, 00000000.00000000.261051389.0000000000B7A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs W7UbgU8x18.exe
                      Source: W7UbgU8x18.exe, 00000000.00000002.301512168.0000000000412000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametuneraidfix.exe8 vs W7UbgU8x18.exe
                      Source: W7UbgU8x18.exe, 00000000.00000002.302293725.0000000000B7A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs W7UbgU8x18.exe
                      Source: W7UbgU8x18.exe, 00000000.00000000.261864579.0000000002860000.00000004.00020000.sdmpBinary or memory string: OriginalFilenamefixedhost.dll0 vs W7UbgU8x18.exe
                      Source: W7UbgU8x18.exe, 00000000.00000000.256471113.00000000028DD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametuneraidfix.exe8 vs W7UbgU8x18.exe
                      Source: W7UbgU8x18.exeBinary or memory string: OriginalFilenametuneraidfix.exe8 vs W7UbgU8x18.exe
                      Source: W7UbgU8x18.exeVirustotal: Detection: 35%
                      Source: W7UbgU8x18.exeReversingLabs: Detection: 28%
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeFile read: C:\Users\user\Desktop\W7UbgU8x18.exeJump to behavior
                      Source: W7UbgU8x18.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\W7UbgU8x18.exe "C:\Users\user\Desktop\W7UbgU8x18.exe"
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5644 -s 1396
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeJump to behavior
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeJump to behavior
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER343.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/7@1/2
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1768:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5644
                      Source: 2.0.aspnet_regbrowsers.exe.400000.3.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.aspnet_regbrowsers.exe.400000.3.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.aspnet_regbrowsers.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.aspnet_regbrowsers.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.aspnet_regbrowsers.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.aspnet_regbrowsers.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: W7UbgU8x18.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: W7UbgU8x18.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: W7UbgU8x18.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb""9s source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000A.00000003.284964542.00000000054D1000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.270613865.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270476484.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.283477132.000000000501C000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270318610.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271099127.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270669562.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270533710.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271835064.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270427827.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.285168837.00000000054D0000.00000004.00000040.sdmp
                      Source: Binary string: tuneraidfix.pdb" source: WerFault.exe, 0000000A.00000003.284964542.00000000054D1000.00000004.00000040.sdmp
                      Source: Binary string: t.pdb source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: cfgmgr32.pdb, source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.271728501.0000000003125000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270300201.0000000003125000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: ore.ni.pdb" source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb6 source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: fixedhost.pdb\ source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 0000000A.00000003.285168837.00000000054D0000.00000004.00000040.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\exe\tuneraidfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.271474632.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270327702.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270696517.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271114110.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\tuneraidfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3|n source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\Administrator\Desktop\Builder\stub\1605780553\un_priv\tuneraidfix\obj\Release\tuneraidfix.pdb source: W7UbgU8x18.exe
                      Source: Binary string: fixedhost.pdbMZ@ source: WER343.tmp.dmp.10.dr
                      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Z.pdb source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WER343.tmp.dmp.10.dr
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb* source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: tuneraidfix.pdb4 source: WER343.tmp.dmp.10.dr
                      Source: Binary string: mscorlib.pdb source: W7UbgU8x18.exe, 00000000.00000000.256471113.00000000028DD000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: C:\Windows\tuneraidfix.pdbpdbfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.285188895.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284978604.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285080721.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000A.00000003.270318610.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271099127.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270669562.0000000003131000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER343.tmp.dmp.10.dr
                      Source: Binary string: C:\Users\Administrator\Desktop\Builder\stub\1605780553\un_priv\tuneraidfix\obj\Release\tuneraidfix.pdbP source: W7UbgU8x18.exe, 00000000.00000000.256076792.0000000000C18000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000002.302604429.0000000000C18000.00000004.00000020.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WER343.tmp.dmp.10.dr
                      Source: Binary string: C:\Users\user\Desktop\W7UbgU8x18.PDB source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: winhttp.pdbW source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: t.pdb" source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WER343.tmp.dmp.10.dr
                      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: W7UbgU8x18.PDB source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: t.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdbK source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.285168837.00000000054D0000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.ex