Loading ...

Play interactive tourEdit tour

Windows Analysis Report 0Jk67LObin

Overview

General Information

Sample Name:0Jk67LObin (renamed file extension from none to exe)
Analysis ID:541178
MD5:bb9e3c71b3ee3279632905f905ac21c4
SHA1:a2b1d81ec6a21b52f555f5ec7e9cf9a73f937971
SHA256:2f60704e2dac47d532955485a04c195dffa41f9e638527ac42c82a224b2202ea
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Jester Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Jester Stealer
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Found Tor onion address
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
.NET source code contains very large array initializations
Tries to harvest and steal Bitcoin Wallet information
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 0Jk67LObin.exe (PID: 6212 cmdline: "C:\Users\user\Desktop\0Jk67LObin.exe" MD5: BB9E3C71B3EE3279632905F905AC21C4)
    • dfsvc.exe (PID: 6664 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe MD5: 48FD4DD682051712E3E7757C525DED71)
    • aspnet_regsql.exe (PID: 6732 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe MD5: DC0A2353DC4A9CDCF7B0F959DA258B4E)
      • WerFault.exe (PID: 5672 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 1368 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: JesterStealer

{"Mutex": "efbb42d7-d0db-4f16-a194-3d9d9d1fc654", "C2 url": "http://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/ads555man"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000004.00000000.658704616.0000000000402000.00000040.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.0Jk67LObin.exe.3537fd0.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              4.0.aspnet_regsql.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.0Jk67LObin.exe.4480000.13.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  4.0.aspnet_regsql.exe.400000.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.2.0Jk67LObin.exe.3537fd0.5.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 10 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.0Jk67LObin.exe.5e10000.20.raw.unpackMalware Configuration Extractor: JesterStealer {"Mutex": "efbb42d7-d0db-4f16-a194-3d9d9d1fc654", "C2 url": "http://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/ads555man"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 0Jk67LObin.exeVirustotal: Detection: 23%Perma Link
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeCode function: 4_2_05FF1718 CryptUnprotectData,4_2_05FF1718
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeCode function: 4_2_05FF2520 CryptUnprotectData,4_2_05FF2520
                      Source: 0Jk67LObin.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: anagement.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
                      Source: Binary string: onfiguration.ni.pdb" source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.679761108.00000000035EA000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679459993.00000000035EA000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679385898.00000000035C0000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679938926.00000000035EC000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679822056.00000000035EA000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679834510.00000000035C0000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.690590962.0000000005AF7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690675616.0000000005AF7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690467733.0000000005AF7000.00000004.00000040.sdmp
                      Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.pdbc source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
                      Source: Binary string: ore.ni.pdb" source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.679373571.00000000035B4000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
                      Source: Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 00000009.00000003.690654909.0000000005AF0000.00000004.00000040.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.690640649.0000000005930000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
                      Source: Binary string: iphlpapi.pdbR) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: RSAdows\mscorlib.pdb source: aspnet_regsql.exe, 00000004.00000000.668595799.0000000000CD3000.00000004.00000020.sdmp, aspnet_regsql.exe, 00000004.00000002.705294557.0000000000CD3000.00000004.00000020.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.679840119.00000000035C6000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679393148.00000000035C6000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679911809.00000000035C6000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
                      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
                      Source: Binary string: /_/artifacts/obj/Microsoft.Build.Tasks/Release/net472/Microsoft.Build.Tasks.Core.pdbSHA256 source: 0Jk67LObin.exe
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: msasn1.pdbl) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp
                      Source: Binary string: aspnet_regsql.pdb source: 0Jk67LObin.exe, 00000000.00000002.672466502.00000000044F0000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672074305.00000000035B2000.00000004.00000001.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: ecurity.pdbn source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
                      Source: Binary string: b.pdb=p source: aspnet_regsql.exe, 00000004.00000000.671929213.0000000005D6A000.00000004.00000010.sdmp, aspnet_regsql.exe, 00000004.00000002.707701555.0000000005D6A000.00000004.00000010.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.690590962.0000000005AF7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690675616.0000000005AF7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690467733.0000000005AF7000.00000004.00000040.sdmp
                      Source: Binary string: aspnet_regsql.pdbP source: 0Jk67LObin.exe, 00000000.00000002.672466502.00000000044F0000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672074305.00000000035B2000.00000004.00000001.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WERB49.tmp.dmp.9.dr
                      Source: Binary string: System.Management.pdbWjj source: WERB49.tmp.dmp.9.dr
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp, WERB49.tmp.dmp.9.dr
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: dfsvc.pdb source: 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp
                      Source: Binary string: clrcompression.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\aspnet_regsql.pdb5 source: aspnet_regsql.exe, 00000004.00000000.668595799.0000000000CD3000.00000004.00000020.sdmp, aspnet_regsql.exe, 00000004.00000002.705294557.0000000000CD3000.00000004.00000020.sdmp
                      Source: Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
                      Source: Binary string: dpapi.pdbp) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
                      Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.679385898.00000000035C0000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679834510.00000000035C0000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERB49.tmp.dmp.9.dr
                      Source: Binary string: .winmd.exe.pdb.xml.pri-TargetFrameworkSubsets;InstalledAssemblySubsetTables7FullFrameworkAssemblyTables=FullTargetFrameworkSubsetNames source: 0Jk67LObin.exe
                      Source: Binary string: dpapi.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: System.pdbP>Q source: WERB49.tmp.dmp.9.dr
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WERB49.tmp.dmp.9.dr
                      Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WERB49.tmp.dmp.9.dr
                      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
                      Source: Binary string: ml.ni.pdb" source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
                      Source: Binary string: rawing.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
                      Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp
                      Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
                      Source: Binary string: System.Security.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: .pdb* source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
                      Source: Binary string: vaultcli.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.690654909.0000000005AF0000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdbSystem.Management.dll source: WERB49.tmp.dmp.9.dr
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp, WERB49.tmp.dmp.9.dr
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: vaultcli.pdbj) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.690654909.0000000005AF0000.00000004.00000040.sdmp
                      Source: Binary string: /_/artifacts/obj/Microsoft.Build.Tasks/Release/net472/Microsoft.Build.Tasks.Core.pdb source: 0Jk67LObin.exe
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: fwpuclnt.pdbT) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: dfsvc.pdbD.^. P._CorExeMainmscoree.dll source: 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
                      Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb~) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp
                      Source: Binary string: rtutils.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp
                      Source: Binary string: Windows.Storage.pdb% source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.679373571.00000000035B4000.00000004.00000001.sdmp
                      Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.690654909.0000000005AF0000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WERB49.tmp.dmp.9.dr
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
                      Source: Binary string: fastprox.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: winrnr.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdb@) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdbX) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp, WERB49.tmp.dmp.9.dr
                      Source: Binary string: System.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp, WERB49.tmp.dmp.9.dr
                      Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
                      Source: Binary string: ecurity.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.690654909.0000000005AF0000.00000004.00000040.sdmp
                      Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.679840119.00000000035C6000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679393148.00000000035C6000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679911809.00000000035C6000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
                      Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp, WERB49.tmp.dmp.9.dr
                      Source: Binary string: combase.pdbk source: WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
                      Source: Binary string: clrcompression.pdb_ source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
                      Source: Binary string: winrnr.pdbN) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp, WERB49.tmp.dmp.9.dr
                      Source: Binary string: System.Security.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
                      Source: Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc.pdbf) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp

                      Networking:

                      barindex
                      Found Tor onion addressShow sources
                      Source: aspnet_regsql.exe, 00000004.00000000.672993382.0000000002851000.00000004.00000001.sdmpString found in binary or memory: mVhttp://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/ads555man
                      May check the online IP address of the machineShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeDNS query: name: ip-api.com
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: http://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/ads555man
                      Source: global trafficHTTP traffic detected: GET /json?fields=query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: .facebook.comGhttps://www.facebook.com/adsmanager equals www.facebook.com (Facebook)
                      Source: WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: .youtube.comShttps://www.youtube.com/channel/{0}/about equals www.youtube.com (Youtube)
                      Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmpString found in binary or memory: m9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                      Source: aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmpString found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j
                      Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:
                      Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                      Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                      Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                      Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                      Source: aspnet_regsql.exe, 00000004.00000000.673253442.000000000295E000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.671191514.0000000002950000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com
                      Source: aspnet_regsql.exe, 00000004.00000000.671191514.0000000002950000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com/json?fields=T
                      Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672993382.0000000002851000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.671191514.0000000002950000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com/json?fields=query
                      Source: aspnet_regsql.exe, 00000004.00000000.672993382.0000000002851000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com4Tl
                      Source: aspnet_regsql.exe, 00000004.00000000.672993382.0000000002851000.00000004.00000001.sdmpString found in binary or memory: http://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/ads555man
                      Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                      Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                      Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                      Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                      Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                      Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                      Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                      Source: aspnet_regsql.exe, 00000004.00000000.672993382.0000000002851000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706449702.000000000292C000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                      Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                      Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                      Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                      Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                      Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                      Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                      Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
                      Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                      Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                      Source: aspnet_regsql.exe, 00000004.00000002.706286774.00000000028EA000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: 0Jk67LObin.exeString found in binary or memory: https://aka.ms/msbuild/MSB4803
                      Source: 0Jk67LObin.exeString found in binary or memory: https://aka.ms/msbuild/developerpacks
                      Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: https://api.anonfiles.com/upload
                      Source: WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: https://api.blockcypher.com/v1/dash/main/addrs/
                      Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: https://api.github.com/users/
                      Source: aspnet_regsql.exe, 00000004.00000002.706286774.00000000028EA000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: https://chain.api.btc.com/v3/address/
                      Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: https://chain.so/api/v2/get_address_balance/LTC/
                      Source: 0Jk67LObin.exeString found in binary or memory: https://code.visualstudio.com/0
                      Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: https://discordapp.com/api/v6/users/
                      Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: https://dogechain.info/api/v1/address/balance/
                      Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: https://dogechain.info/api/v1/address/balance/ahttps://chain.so/api/v2/get_address_balance/LTC/#conf
                      Source: aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: aspnet_regsql.exe, 00000004.00000002.706286774.00000000028EA000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabu
                      Source: aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabush
                      Source: aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: https://github.com/L1ghtM4n/TorProxy/blob/main/LIB/Tor.zip?raw=true
                      Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/
                      Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/graphql/query/?query_hash=
                      Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: https://lookup.binlist.net/
                      Source: aspnet_regsql.exe, 00000004.00000002.706286774.00000000028EA000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: aspnet_regsql.exe, 00000004.00000002.706286774.00000000028EA000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: https://steamcommunity.com/profiles/
                      Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: https://store.steampowered.com/account
                      Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                      Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                      Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                      Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                      Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                      Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                      Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                      Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                      Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                      Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: https://www.epicgames.com/account/transactions
                      Source: aspnet_regsql.exe, 00000004.00000002.706286774.00000000028EA000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: https://www.paypal.com/myaccount/money
                      Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/channel/
                      Source: unknownDNS traffic detected: queries for: 59.60.14.0.in-addr.arpa
                      Source: global trafficHTTP traffic detected: GET /json?fields=query HTTP/1.1Host: ip-api.comConnection: Keep-Alive

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 0Jk67LObin.exe, C7570F0A2/D7CDC980B.csLarge array initialization: System.UInt64[] C7570F0A2.D7CDC980B::A9088C219: array initializer size 8704
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 1368
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeCode function: 0_2_0230B2880_2_0230B288
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeCode function: 0_2_023093C80_2_023093C8
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeCode function: 0_2_023031100_2_02303110
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeCode function: 0_2_0230AA800_2_0230AA80
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeCode function: 0_2_02302AE80_2_02302AE8
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeCode function: 0_2_023089E00_2_023089E0
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeCode function: 0_2_0230BDB00_2_0230BDB0
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeCode function: 0_2_023093980_2_02309398
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeCode function: 0_2_02309EF80_2_02309EF8
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeCode function: 0_2_05E091C80_2_05E091C8
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeCode function: 0_2_05E032A80_2_05E032A8
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeCode function: 0_2_05E03C180_2_05E03C18
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeCode function: 0_2_05E0AF700_2_05E0AF70
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeCode function: 0_2_05E025E90_2_05E025E9
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeCode function: 0_2_05E0332A0_2_05E0332A
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeCode function: 0_2_05E032980_2_05E03298
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeCode function: 0_2_05E03C090_2_05E03C09
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeCode function: 0_2_05E0AEF80_2_05E0AEF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeCode function: 4_2_026A86904_2_026A8690
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeCode function: 4_2_026A17784_2_026A1778
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeCode function: 4_2_026AC9A84_2_026AC9A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeCode function: 4_2_026A8F604_2_026A8F60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeCode function: 4_2_026A83484_2_026A8348
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeCode function: 4_2_026A17684_2_026A1768
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeCode function: 4_2_05FF0DD84_2_05FF0DD8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeCode function: 4_2_05FF69004_2_05FF6900
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeCode function: 4_2_05FF6B204_2_05FF6B20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeCode function: 4_2_05FF3A084_2_05FF3A08
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeCode function: 4_2_05FF08D04_2_05FF08D0
                      Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE_MemoryProtection.exe4 vs 0Jk67LObin.exe
                      Source: 0Jk67LObin.exe, 00000000.00000002.672664840.0000000004C50000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameAntiDump.dll2 vs 0Jk67LObin.exe
                      Source: 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameHwxN EPv.exe2 vs 0Jk67LObin.exe
                      Source: 0Jk67LObin.exe, 00000000.00000002.668078311.00000000024E7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHwxN EPv.exe2 vs 0Jk67LObin.exe
                      Source: 0Jk67LObin.exe, 00000000.00000000.649851214.00000000001AC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAdMunch.exe6 vs 0Jk67LObin.exe
                      Source: 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHwxN EPv.exe2 vs 0Jk67LObin.exe
                      Source: 0Jk67LObin.exe, 00000000.00000002.672466502.00000000044F0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameaspnet_regsql.exeT vs 0Jk67LObin.exe
                      Source: 0Jk67LObin.exe, 00000000.00000002.672146568.0000000003679000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE_MemoryProtection.exe4 vs 0Jk67LObin.exe
                      Source: 0Jk67LObin.exe, 00000000.00000002.672146568.0000000003679000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAntiDump.dll2 vs 0Jk67LObin.exe
                      Source: 0Jk67LObin.exe, 00000000.00000002.672074305.00000000035B2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaspnet_regsql.exeT vs 0Jk67LObin.exe
                      Source: 0Jk67LObin.exe, 00000000.00000002.666959667.0000000000012000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUltimate.dll2 vs 0Jk67LObin.exe
                      Source: 0Jk67LObin.exe, 00000000.00000002.672290170.0000000003F0D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAntiDump.dll2 vs 0Jk67LObin.exe
                      Source: 0Jk67LObin.exe, 00000000.00000003.652088687.0000000003F6F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAntiDump.dll2 vs 0Jk67LObin.exe
                      Source: 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHwxN EPv.exe2 vs 0Jk67LObin.exe
                      Source: 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamedfsvc.exeT vs 0Jk67LObin.exe
                      Source: 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHwxN EPv.exe2 vs 0Jk67LObin.exe
                      Source: 0Jk67LObin.exeBinary or memory string: OriginalFilenameUltimate.dll2 vs 0Jk67LObin.exe
                      Source: 0Jk67LObin.exeBinary or memory string: OriginalFilenameAdMunch.exe6 vs 0Jk67LObin.exe
                      Source: 0Jk67LObin.exeStatic PE information: invalid certificate
                      Source: 0Jk67LObin.exeVirustotal: Detection: 23%
                      Source: 0Jk67LObin.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\0Jk67LObin.exe "C:\Users\user\Desktop\0Jk67LObin.exe"
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeProcess created: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 1368
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeProcess created: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exeJump to behavior
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0Jk67LObin.exe.logJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB49.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/7@2/1
                      Source: 0Jk67LObin.exe, Microsoft.Build.Tasks/D6795E7F8.csTask registration methods: 'CreateManifestName'
                      Source: 0Jk67LObin.exe, Microsoft.Build.Tasks/C8BC1DC04.csTask registration methods: 'CreateManifestName'
                      Source: 0Jk67LObin.exe, Microsoft.Build.Tasks/B7775143B.csTask registration methods: 'CreateManifestName'
                      Source: 0Jk67LObin.exe, Microsoft.Build.Tasks/Deployment.ManifestUtilities/FC23BF4D3.csTask registration methods: 'set_CreateDesktopShortcut', 'get_XmlCreateDesktopShortcut', 'set_XmlCreateDesktopShortcut', 'get_CreateDesktopShortcut'
                      Source: 0Jk67LObin.exe, Microsoft.Build.Tasks/FE165B4BE.csTask registration methods: 'set_CreateDesktopShortcut', 'get_CreateDesktopShortcut'
                      Source: 0Jk67LObin.exe, Microsoft.Build.Tasks/C78F1F52A.csTask registration methods: 'get_StronglyTypedResourceSuccessfullyCreated', 'get_UnsuccessfullyCreatedOutFiles'
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: 4.2.aspnet_regsql.exe.400000.0.unpack, n_4urka/c_DeregisterFromAssembly_mrsegy.csBase64 encoded string: 'WfW86nK5ExfnQeMWWE2qCdZzCBl7cG7bFjN4V6SvwGFpVj3zzMeka+DNeW4hGFfzt4wAN7XRBjG7pIY/oq9VJw==', 'hVwhMAQNsUXyljDP71vd98m72GL53YAwGlDjCsssHfNDfkw2BM3ZHfN+iRO2iuNMG5h7s4o49SGOokidda1jDw==', 'zjkXUWzNCbrCuNvyAwk+9UUL/F9+lNCcmZWr0gasSBams001D5NvgW8oCOmaR521', 'ZznELENvuYFvbI+5UX6Zctn8b3gvN4ON8e+aM5VaDwoWiwHrJ7vto3MSjZf+Tt9AjOFIGBzXx+7k8vESsDmPTw=='
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6732
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeMutant created: \Sessions\1\BaseNamedObjects\efbb42d7-d0db-4f16-a194-3d9d9d1fc654
                      Source: 0Jk67LObin.exeBinary or memory string: @(AMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
                      Source: 0Jk67LObin.exeString found in binary or memory: ,/InstalledAssemblyTables%FrameworkDirectory9IgnoreInstalledAssemblyTable3AllowedAssemblyExtensions9AllowedRelatedFileExtensions
                      Source: 0Jk67LObin.exe, C7570F0A2/D28055528.csCryptographic APIs: 'CreateDecryptor'
                      Source: 4.2.aspnet_regsql.exe.400000.0.unpack, n_Hoxol/c_u003cAwakeu003eb__12_0_riqjth.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 4.2.aspnet_regsql.exe.400000.0.unpack, n_rukoblyd/c_Reload_hxtwvx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\0Jk67LObin.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: 0Jk67LObin.exeStatic PE information: Virtual size of .text is bigger than: 0x100000