Edit tour

Windows Analysis Report
NOVA ORDEM.exe

Overview

General Information

Sample name:	NOVA ORDEM.exe
Analysis ID:	1465902
MD5:	136fe5a45a9e08721c4ee8ae540e7c43
SHA1:	be023d1cdb3625ea61f9c6733aafdbc30776462d
SHA256:	d58ae9bd3aa477d78a4b208ee5fcc32fb798a0f20ce30aef7a2b98c419b643be
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

NOVA ORDEM.exe (PID: 1344 cmdline: "C:\Users\user\Desktop\NOVA ORDEM.exe" MD5: 136FE5A45A9E08721C4EE8AE540E7C43)

conhost.exe (PID: 3272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7256 cmdline: "C:\Windows\System32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

wmplayer.exe (PID: 7264 cmdline: "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" MD5: A7790328035BBFCF041A6D815F9C28DF)

wmplayer.exe (PID: 7272 cmdline: "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" MD5: A7790328035BBFCF041A6D815F9C28DF)

WerFault.exe (PID: 7336 cmdline: C:\Windows\system32\WerFault.exe -u -p 1344 -s 1128 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2063350156.0000000003B00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2063350156.0000000003B00000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ac80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x143ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000000.00000002.1785713329.000002571E87D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000004.00000002.2062866789.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2062866789.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e1d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17942:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000000.00000002.1785713329.000002571E540000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: NOVA ORDEM.exe PID: 1344	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NOVA ORDEM.exe PID: 1344	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.wmplayer.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.wmplayer.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d3d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16b42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
4.2.wmplayer.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.wmplayer.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e1d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17942:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: NOVA ORDEM.exe	Virustotal: Detection: 33%			Perma Link
Source: NOVA ORDEM.exe	ReversingLabs: Detection: 34%

Yara detected FormBook

Source: Yara match	File source: 4.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2063350156.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2062866789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1785713329.000002571E87D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1785713329.000002571E540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NOVA ORDEM.exe PID: 1344, type: MEMORYSTR

Source: NOVA ORDEM.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.pdb/ source: WER6844.tmp.dmp.8.dr
Source:	Binary string: mscorlib.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdbRSDS source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: wntdll.pdbUGP source: wmplayer.exe, 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 00000004.00000002.2063083233.000000000394E000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 00000004.00000003.2029609050.0000000003452000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000004.00000003.2031438414.0000000003606000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: wntdll.pdb source: wmplayer.exe, wmplayer.exe, 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 00000004.00000002.2063083233.000000000394E000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 00000004.00000003.2029609050.0000000003452000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000004.00000003.2031438414.0000000003606000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER6844.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.Core.pdbh- source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER6844.tmp.dmp.8.dr

Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2063350156.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2062866789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2063350156.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2062866789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0042B6B3 NtClose,	4_2_0042B6B3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038235C0 NtCreateMutant,LdrInitializeThunk,	4_2_038235C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822B60 NtClose,LdrInitializeThunk,	4_2_03822B60
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_03822DF0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_03822C70
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03824340 NtSetContextThread,	4_2_03824340
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03823090 NtSetValueKey,	4_2_03823090
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03823010 NtOpenDirectoryObject,	4_2_03823010
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03824650 NtSuspendThread,	4_2_03824650
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822B80 NtQueryInformationFile,	4_2_03822B80
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822BA0 NtEnumerateValueKey,	4_2_03822BA0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822BE0 NtQueryValueKey,	4_2_03822BE0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822BF0 NtAllocateVirtualMemory,	4_2_03822BF0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822AB0 NtWaitForSingleObject,	4_2_03822AB0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822AD0 NtReadFile,	4_2_03822AD0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822AF0 NtWriteFile,	4_2_03822AF0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038239B0 NtGetContextThread,	4_2_038239B0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822F90 NtProtectVirtualMemory,	4_2_03822F90
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822FA0 NtQuerySection,	4_2_03822FA0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822FB0 NtResumeThread,	4_2_03822FB0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822FE0 NtCreateFile,	4_2_03822FE0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822F30 NtCreateSection,	4_2_03822F30
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822F60 NtCreateProcessEx,	4_2_03822F60
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822E80 NtReadVirtualMemory,	4_2_03822E80
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822EA0 NtAdjustPrivilegesToken,	4_2_03822EA0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822EE0 NtQueueApcThread,	4_2_03822EE0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822E30 NtWriteVirtualMemory,	4_2_03822E30
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822DB0 NtEnumerateKey,	4_2_03822DB0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822DD0 NtDelayExecution,	4_2_03822DD0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822D00 NtSetInformationFile,	4_2_03822D00
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822D10 NtMapViewOfSection,	4_2_03822D10
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03823D10 NtOpenProcessToken,	4_2_03823D10
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822D30 NtUnmapViewOfSection,	4_2_03822D30
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03823D70 NtOpenThread,	4_2_03823D70
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822CA0 NtQueryInformationToken,	4_2_03822CA0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822CC0 NtQueryVirtualMemory,	4_2_03822CC0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822CF0 NtOpenProcess,	4_2_03822CF0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822C00 NtQueryInformationProcess,	4_2_03822C00
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822C60 NtCreateKey,	4_2_03822C60

Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Code function: 0_2_00007FFD9B88D409	0_2_00007FFD9B88D409
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Code function: 0_2_00007FFD9B88CC44	0_2_00007FFD9B88CC44
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Code function: 0_2_00007FFD9B88A7D0	0_2_00007FFD9B88A7D0
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Code function: 0_2_00007FFD9B885D7F	0_2_00007FFD9B885D7F
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Code function: 0_2_00007FFD9B8814ED	0_2_00007FFD9B8814ED
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Code function: 0_2_00007FFD9B880508	0_2_00007FFD9B880508
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Code function: 0_2_00007FFD9B88FD35	0_2_00007FFD9B88FD35
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Code function: 0_2_00007FFD9B960050	0_2_00007FFD9B960050
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_004032C0	4_2_004032C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0042DAC3	4_2_0042DAC3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_004022F4	4_2_004022F4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_00401350	4_2_00401350
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_00402300	4_2_00402300
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_004103EB	4_2_004103EB
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_004103F3	4_2_004103F3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_004024E0	4_2_004024E0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_00416CAE	4_2_00416CAE
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_00416CB3	4_2_00416CB3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_00410613	4_2_00410613
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0040E693	4_2_0040E693
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_004027A0	4_2_004027A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0383739A	4_2_0383739A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DD34C	4_2_037DD34C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038B03E6	4_2_038B03E6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037FE3F0	4_2_037FE3F0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A132D	4_2_038A132D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038AA352	4_2_038AA352
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380B2C0	4_2_0380B2C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038912ED	4_2_038912ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F52A0	4_2_037F52A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03890274	4_2_03890274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038B01AA	4_2_038B01AA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A81CC	4_2_038A81CC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E0100	4_2_037E0100
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0388A118	4_2_0388A118
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037FB1B0	4_2_037FB1B0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038BB16B	4_2_038BB16B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0382516C	4_2_0382516C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0389F0CC	4_2_0389F0CC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A70E9	4_2_038A70E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038AF0E0	4_2_038AF0E0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F0770	4_2_037F0770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038AF7B0	4_2_038AF7B0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EC7C0	4_2_037EC7C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03814750	4_2_03814750
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A16CC	4_2_038A16CC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380C6E0	4_2_0380C6E0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038B0591	4_2_038B0591
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0388D5B0	4_2_0388D5B0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F0535	4_2_037F0535
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A7571	4_2_038A7571
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E1460	4_2_037E1460
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0389E4F6	4_2_0389E4F6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038AF43F	4_2_038AF43F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A2446	4_2_038A2446
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380FB80	4_2_0380FB80
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A6BD7	4_2_038A6BD7
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0382DBF9	4_2_0382DBF9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038AAB40	4_2_038AAB40
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038AFB76	4_2_038AFB76
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03835AA0	4_2_03835AA0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0388DAAC	4_2_0388DAAC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0389DAC6	4_2_0389DAC6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038AFA49	4_2_038AFA49
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A7A46	4_2_038A7A46
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03863A6C	4_2_03863A6C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EEA80	4_2_037EEA80
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038BA9A6	4_2_038BA9A6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F9950	4_2_037F9950
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380B950	4_2_0380B950
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F29A0	4_2_037F29A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03806962	4_2_03806962
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F2840	4_2_037F2840
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037FA840	4_2_037FA840
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381E8F0	4_2_0381E8F0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F38E0	4_2_037F38E0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D68B8	4_2_037D68B8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038AFFB1	4_2_038AFFB1
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038AFF09	4_2_038AFF09
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03832F28	4_2_03832F28
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03810F30	4_2_03810F30
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E2FC8	4_2_037E2FC8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03864F40	4_2_03864F40
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F1F92	4_2_037F1F92
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03802E90	4_2_03802E90
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038ACE93	4_2_038ACE93
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F0E59	4_2_037F0E59
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038AEEDB	4_2_038AEEDB
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038AEE26	4_2_038AEE26
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F9EB0	4_2_037F9EB0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F3D40	4_2_037F3D40
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03808DBF	4_2_03808DBF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380FDC0	4_2_0380FDC0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037FAD00	4_2_037FAD00
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EADE0	4_2_037EADE0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A1D5A	4_2_038A1D5A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A7D73	4_2_038A7D73
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03890CB5	4_2_03890CB5
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038AFCF2	4_2_038AFCF2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F0C00	4_2_037F0C00
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E0CF2	4_2_037E0CF2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03869C32	4_2_03869C32

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: String function: 0386F290 appears 105 times
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: String function: 03837E54 appears 86 times
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: String function: 03825130 appears 36 times
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: String function: 037DB970 appears 251 times
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: String function: 0385EA12 appears 84 times

Source: C:\Users\user\Desktop\NOVA ORDEM.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1344 -s 1128

Source: NOVA ORDEM.exe

Static PE information: No import functions for PE file found

Source: NOVA ORDEM.exe, 00000000.00000000.1636984120.000002571C892000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUgexonelexudapivu4 vs NOVA ORDEM.exe
Source: NOVA ORDEM.exe	Binary or memory string: OriginalFilenameUgexonelexudapivu4 vs NOVA ORDEM.exe

Source: 4.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2063350156.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2062866789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@9/5@0/0

Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3272:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1344

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\8f23950c-af07-4f37-b31f-6c1b858762cc

Jump to behavior

Source: NOVA ORDEM.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: NOVA ORDEM.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%

Source: C:\Users\user\Desktop\NOVA ORDEM.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NOVA ORDEM.exe	Virustotal: Detection: 33%
Source: NOVA ORDEM.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\NOVA ORDEM.exe

File read: C:\Users\user\Desktop\NOVA ORDEM.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NOVA ORDEM.exe "C:\Users\user\Desktop\NOVA ORDEM.exe"
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1344 -s 1128
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"	Jump to behavior

Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Section loaded: windows.storage.dll	Jump to behavior

Source: C:\Users\user\Desktop\NOVA ORDEM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\NOVA ORDEM.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: NOVA ORDEM.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: NOVA ORDEM.exe

Static file information: File size 1553007 > 1048576

Source: NOVA ORDEM.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: NOVA ORDEM.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.pdb/ source: WER6844.tmp.dmp.8.dr
Source:	Binary string: mscorlib.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdbRSDS source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: wntdll.pdbUGP source: wmplayer.exe, 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 00000004.00000002.2063083233.000000000394E000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 00000004.00000003.2029609050.0000000003452000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000004.00000003.2031438414.0000000003606000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: wntdll.pdb source: wmplayer.exe, wmplayer.exe, 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 00000004.00000002.2063083233.000000000394E000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 00000004.00000003.2029609050.0000000003452000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000004.00000003.2031438414.0000000003606000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER6844.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.Core.pdbh- source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER6844.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdb source: WER6844.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER6844.tmp.dmp.8.dr

Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Code function: 0_2_00007FFD9B960050 push esp; retf 4810h	0_2_00007FFD9B960312
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0040D063 push esi; iretd	4_2_0040D065
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_00418BBB push esi; retf	4_2_00418BC5
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_00412479 push edx; retf	4_2_0041247E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_00403550 push eax; ret	4_2_00403552
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_00414D25 push ss; iretd	4_2_00414D26
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_00404DA3 push FFFFFFE7h; iretd	4_2_00404DA5
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_00404E06 pushad ; ret	4_2_00404E07
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_00418E1C push ss; retf	4_2_00418E2A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_00426F63 push eax; ret	4_2_00426F72
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E09AD push ecx; mov dword ptr [esp], ecx	4_2_037E09B6

Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: NOVA ORDEM.exe PID: 1344, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: NOVA ORDEM.exe, 00000000.00000002.1785713329.000002571E87D000.00000004.00000800.00020000.00000000.sdmp, NOVA ORDEM.exe, 00000000.00000002.1785713329.000002571E540000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: NOVA ORDEM.exe, 00000000.00000002.1785713329.000002571E87D000.00000004.00000800.00020000.00000000.sdmp, NOVA ORDEM.exe, 00000000.00000002.1785713329.000002571E540000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Memory allocated: 2571CBC0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Memory allocated: 25736500000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Code function: 4_2_0380BBA0 rdtsc

4_2_0380BBA0

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

API coverage: 0.8 %

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe TID: 7268

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: NOVA ORDEM.exe, 00000000.00000002.1785713329.000002571E540000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: NOVA ORDEM.exe, 00000000.00000002.1785713329.000002571E540000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: NOVA ORDEM.exe, 00000000.00000002.1785713329.000002571E540000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: NOVA ORDEM.exe, 00000000.00000002.1785713329.000002571E540000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: NOVA ORDEM.exe, 00000000.00000002.1785713329.000002571E540000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: NOVA ORDEM.exe, 00000000.00000002.1785713329.000002571E540000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: NOVA ORDEM.exe, 00000000.00000002.1785713329.000002571E540000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: NOVA ORDEM.exe, 00000000.00000002.1785713329.000002571E540000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: NOVA ORDEM.exe, 00000000.00000002.1785713329.000002571E540000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: NOVA ORDEM.exe, 00000000.00000002.1785713329.000002571E540000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: NOVA ORDEM.exe, 00000000.00000002.1785713329.000002571E540000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Code function: 4_2_0380BBA0 rdtsc

4_2_0380BBA0

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Code function: 4_2_00417C63 LdrLoadDll,

4_2_00417C63

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E7370 mov eax, dword ptr fs:[00000030h]	4_2_037E7370
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E7370 mov eax, dword ptr fs:[00000030h]	4_2_037E7370
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E7370 mov eax, dword ptr fs:[00000030h]	4_2_037E7370
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380438F mov eax, dword ptr fs:[00000030h]	4_2_0380438F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380438F mov eax, dword ptr fs:[00000030h]	4_2_0380438F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038B539D mov eax, dword ptr fs:[00000030h]	4_2_038B539D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0383739A mov eax, dword ptr fs:[00000030h]	4_2_0383739A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0383739A mov eax, dword ptr fs:[00000030h]	4_2_0383739A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038133A0 mov eax, dword ptr fs:[00000030h]	4_2_038133A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038133A0 mov eax, dword ptr fs:[00000030h]	4_2_038133A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038033A5 mov eax, dword ptr fs:[00000030h]	4_2_038033A5
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D9353 mov eax, dword ptr fs:[00000030h]	4_2_037D9353
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D9353 mov eax, dword ptr fs:[00000030h]	4_2_037D9353
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DD34C mov eax, dword ptr fs:[00000030h]	4_2_037DD34C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DD34C mov eax, dword ptr fs:[00000030h]	4_2_037DD34C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0389C3CD mov eax, dword ptr fs:[00000030h]	4_2_0389C3CD
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D7330 mov eax, dword ptr fs:[00000030h]	4_2_037D7330
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0389B3D0 mov ecx, dword ptr fs:[00000030h]	4_2_0389B3D0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DC310 mov ecx, dword ptr fs:[00000030h]	4_2_037DC310
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0389F3E6 mov eax, dword ptr fs:[00000030h]	4_2_0389F3E6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038B53FC mov eax, dword ptr fs:[00000030h]	4_2_038B53FC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038163FF mov eax, dword ptr fs:[00000030h]	4_2_038163FF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381A30B mov eax, dword ptr fs:[00000030h]	4_2_0381A30B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381A30B mov eax, dword ptr fs:[00000030h]	4_2_0381A30B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381A30B mov eax, dword ptr fs:[00000030h]	4_2_0381A30B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386930B mov eax, dword ptr fs:[00000030h]	4_2_0386930B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386930B mov eax, dword ptr fs:[00000030h]	4_2_0386930B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386930B mov eax, dword ptr fs:[00000030h]	4_2_0386930B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037FE3F0 mov eax, dword ptr fs:[00000030h]	4_2_037FE3F0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037FE3F0 mov eax, dword ptr fs:[00000030h]	4_2_037FE3F0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037FE3F0 mov eax, dword ptr fs:[00000030h]	4_2_037FE3F0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03800310 mov ecx, dword ptr fs:[00000030h]	4_2_03800310
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F03E9 mov eax, dword ptr fs:[00000030h]	4_2_037F03E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F03E9 mov eax, dword ptr fs:[00000030h]	4_2_037F03E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F03E9 mov eax, dword ptr fs:[00000030h]	4_2_037F03E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F03E9 mov eax, dword ptr fs:[00000030h]	4_2_037F03E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F03E9 mov eax, dword ptr fs:[00000030h]	4_2_037F03E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F03E9 mov eax, dword ptr fs:[00000030h]	4_2_037F03E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F03E9 mov eax, dword ptr fs:[00000030h]	4_2_037F03E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F03E9 mov eax, dword ptr fs:[00000030h]	4_2_037F03E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A132D mov eax, dword ptr fs:[00000030h]	4_2_038A132D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A132D mov eax, dword ptr fs:[00000030h]	4_2_038A132D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380F32A mov eax, dword ptr fs:[00000030h]	4_2_0380F32A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EA3C0 mov eax, dword ptr fs:[00000030h]	4_2_037EA3C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EA3C0 mov eax, dword ptr fs:[00000030h]	4_2_037EA3C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EA3C0 mov eax, dword ptr fs:[00000030h]	4_2_037EA3C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EA3C0 mov eax, dword ptr fs:[00000030h]	4_2_037EA3C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EA3C0 mov eax, dword ptr fs:[00000030h]	4_2_037EA3C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EA3C0 mov eax, dword ptr fs:[00000030h]	4_2_037EA3C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E83C0 mov eax, dword ptr fs:[00000030h]	4_2_037E83C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E83C0 mov eax, dword ptr fs:[00000030h]	4_2_037E83C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E83C0 mov eax, dword ptr fs:[00000030h]	4_2_037E83C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E83C0 mov eax, dword ptr fs:[00000030h]	4_2_037E83C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038B5341 mov eax, dword ptr fs:[00000030h]	4_2_038B5341
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03862349 mov eax, dword ptr fs:[00000030h]	4_2_03862349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03862349 mov eax, dword ptr fs:[00000030h]	4_2_03862349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03862349 mov eax, dword ptr fs:[00000030h]	4_2_03862349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03862349 mov eax, dword ptr fs:[00000030h]	4_2_03862349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03862349 mov eax, dword ptr fs:[00000030h]	4_2_03862349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03862349 mov eax, dword ptr fs:[00000030h]	4_2_03862349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03862349 mov eax, dword ptr fs:[00000030h]	4_2_03862349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03862349 mov eax, dword ptr fs:[00000030h]	4_2_03862349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03862349 mov eax, dword ptr fs:[00000030h]	4_2_03862349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03862349 mov eax, dword ptr fs:[00000030h]	4_2_03862349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03862349 mov eax, dword ptr fs:[00000030h]	4_2_03862349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03862349 mov eax, dword ptr fs:[00000030h]	4_2_03862349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03862349 mov eax, dword ptr fs:[00000030h]	4_2_03862349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03862349 mov eax, dword ptr fs:[00000030h]	4_2_03862349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03862349 mov eax, dword ptr fs:[00000030h]	4_2_03862349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038AA352 mov eax, dword ptr fs:[00000030h]	4_2_038AA352
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386035C mov eax, dword ptr fs:[00000030h]	4_2_0386035C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386035C mov eax, dword ptr fs:[00000030h]	4_2_0386035C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386035C mov eax, dword ptr fs:[00000030h]	4_2_0386035C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386035C mov ecx, dword ptr fs:[00000030h]	4_2_0386035C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386035C mov eax, dword ptr fs:[00000030h]	4_2_0386035C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386035C mov eax, dword ptr fs:[00000030h]	4_2_0386035C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D8397 mov eax, dword ptr fs:[00000030h]	4_2_037D8397
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D8397 mov eax, dword ptr fs:[00000030h]	4_2_037D8397
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D8397 mov eax, dword ptr fs:[00000030h]	4_2_037D8397
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0389F367 mov eax, dword ptr fs:[00000030h]	4_2_0389F367
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0388437C mov eax, dword ptr fs:[00000030h]	4_2_0388437C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DE388 mov eax, dword ptr fs:[00000030h]	4_2_037DE388
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DE388 mov eax, dword ptr fs:[00000030h]	4_2_037DE388
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DE388 mov eax, dword ptr fs:[00000030h]	4_2_037DE388
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03860283 mov eax, dword ptr fs:[00000030h]	4_2_03860283
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03860283 mov eax, dword ptr fs:[00000030h]	4_2_03860283
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03860283 mov eax, dword ptr fs:[00000030h]	4_2_03860283
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381E284 mov eax, dword ptr fs:[00000030h]	4_2_0381E284
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381E284 mov eax, dword ptr fs:[00000030h]	4_2_0381E284
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038B5283 mov eax, dword ptr fs:[00000030h]	4_2_038B5283
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D826B mov eax, dword ptr fs:[00000030h]	4_2_037D826B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E4260 mov eax, dword ptr fs:[00000030h]	4_2_037E4260
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E4260 mov eax, dword ptr fs:[00000030h]	4_2_037E4260
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E4260 mov eax, dword ptr fs:[00000030h]	4_2_037E4260
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381329E mov eax, dword ptr fs:[00000030h]	4_2_0381329E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381329E mov eax, dword ptr fs:[00000030h]	4_2_0381329E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038762A0 mov eax, dword ptr fs:[00000030h]	4_2_038762A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038762A0 mov ecx, dword ptr fs:[00000030h]	4_2_038762A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038762A0 mov eax, dword ptr fs:[00000030h]	4_2_038762A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038762A0 mov eax, dword ptr fs:[00000030h]	4_2_038762A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038762A0 mov eax, dword ptr fs:[00000030h]	4_2_038762A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038762A0 mov eax, dword ptr fs:[00000030h]	4_2_038762A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038772A0 mov eax, dword ptr fs:[00000030h]	4_2_038772A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038772A0 mov eax, dword ptr fs:[00000030h]	4_2_038772A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E6259 mov eax, dword ptr fs:[00000030h]	4_2_037E6259
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A92A6 mov eax, dword ptr fs:[00000030h]	4_2_038A92A6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A92A6 mov eax, dword ptr fs:[00000030h]	4_2_038A92A6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A92A6 mov eax, dword ptr fs:[00000030h]	4_2_038A92A6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A92A6 mov eax, dword ptr fs:[00000030h]	4_2_038A92A6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DA250 mov eax, dword ptr fs:[00000030h]	4_2_037DA250
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038692BC mov eax, dword ptr fs:[00000030h]	4_2_038692BC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038692BC mov eax, dword ptr fs:[00000030h]	4_2_038692BC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038692BC mov ecx, dword ptr fs:[00000030h]	4_2_038692BC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038692BC mov ecx, dword ptr fs:[00000030h]	4_2_038692BC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D9240 mov eax, dword ptr fs:[00000030h]	4_2_037D9240
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D9240 mov eax, dword ptr fs:[00000030h]	4_2_037D9240
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380B2C0 mov eax, dword ptr fs:[00000030h]	4_2_0380B2C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380B2C0 mov eax, dword ptr fs:[00000030h]	4_2_0380B2C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380B2C0 mov eax, dword ptr fs:[00000030h]	4_2_0380B2C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380B2C0 mov eax, dword ptr fs:[00000030h]	4_2_0380B2C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380B2C0 mov eax, dword ptr fs:[00000030h]	4_2_0380B2C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380B2C0 mov eax, dword ptr fs:[00000030h]	4_2_0380B2C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380B2C0 mov eax, dword ptr fs:[00000030h]	4_2_0380B2C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D823B mov eax, dword ptr fs:[00000030h]	4_2_037D823B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380F2D0 mov eax, dword ptr fs:[00000030h]	4_2_0380F2D0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380F2D0 mov eax, dword ptr fs:[00000030h]	4_2_0380F2D0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038912ED mov eax, dword ptr fs:[00000030h]	4_2_038912ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038912ED mov eax, dword ptr fs:[00000030h]	4_2_038912ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038912ED mov eax, dword ptr fs:[00000030h]	4_2_038912ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038912ED mov eax, dword ptr fs:[00000030h]	4_2_038912ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038912ED mov eax, dword ptr fs:[00000030h]	4_2_038912ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038912ED mov eax, dword ptr fs:[00000030h]	4_2_038912ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038912ED mov eax, dword ptr fs:[00000030h]	4_2_038912ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038912ED mov eax, dword ptr fs:[00000030h]	4_2_038912ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038912ED mov eax, dword ptr fs:[00000030h]	4_2_038912ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038912ED mov eax, dword ptr fs:[00000030h]	4_2_038912ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038912ED mov eax, dword ptr fs:[00000030h]	4_2_038912ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038912ED mov eax, dword ptr fs:[00000030h]	4_2_038912ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038912ED mov eax, dword ptr fs:[00000030h]	4_2_038912ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038912ED mov eax, dword ptr fs:[00000030h]	4_2_038912ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038B52E2 mov eax, dword ptr fs:[00000030h]	4_2_038B52E2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0389F2F8 mov eax, dword ptr fs:[00000030h]	4_2_0389F2F8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D92FF mov eax, dword ptr fs:[00000030h]	4_2_037D92FF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03817208 mov eax, dword ptr fs:[00000030h]	4_2_03817208
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03817208 mov eax, dword ptr fs:[00000030h]	4_2_03817208
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F02E1 mov eax, dword ptr fs:[00000030h]	4_2_037F02E1
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F02E1 mov eax, dword ptr fs:[00000030h]	4_2_037F02E1
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F02E1 mov eax, dword ptr fs:[00000030h]	4_2_037F02E1
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038B5227 mov eax, dword ptr fs:[00000030h]	4_2_038B5227
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DB2D3 mov eax, dword ptr fs:[00000030h]	4_2_037DB2D3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DB2D3 mov eax, dword ptr fs:[00000030h]	4_2_037DB2D3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DB2D3 mov eax, dword ptr fs:[00000030h]	4_2_037DB2D3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E92C5 mov eax, dword ptr fs:[00000030h]	4_2_037E92C5
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E92C5 mov eax, dword ptr fs:[00000030h]	4_2_037E92C5
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EA2C3 mov eax, dword ptr fs:[00000030h]	4_2_037EA2C3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EA2C3 mov eax, dword ptr fs:[00000030h]	4_2_037EA2C3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EA2C3 mov eax, dword ptr fs:[00000030h]	4_2_037EA2C3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EA2C3 mov eax, dword ptr fs:[00000030h]	4_2_037EA2C3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EA2C3 mov eax, dword ptr fs:[00000030h]	4_2_037EA2C3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381724D mov eax, dword ptr fs:[00000030h]	4_2_0381724D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F02A0 mov eax, dword ptr fs:[00000030h]	4_2_037F02A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F02A0 mov eax, dword ptr fs:[00000030h]	4_2_037F02A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0389B256 mov eax, dword ptr fs:[00000030h]	4_2_0389B256
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0389B256 mov eax, dword ptr fs:[00000030h]	4_2_0389B256
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F52A0 mov eax, dword ptr fs:[00000030h]	4_2_037F52A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F52A0 mov eax, dword ptr fs:[00000030h]	4_2_037F52A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F52A0 mov eax, dword ptr fs:[00000030h]	4_2_037F52A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F52A0 mov eax, dword ptr fs:[00000030h]	4_2_037F52A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038AD26B mov eax, dword ptr fs:[00000030h]	4_2_038AD26B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038AD26B mov eax, dword ptr fs:[00000030h]	4_2_038AD26B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03821270 mov eax, dword ptr fs:[00000030h]	4_2_03821270
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03821270 mov eax, dword ptr fs:[00000030h]	4_2_03821270
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03809274 mov eax, dword ptr fs:[00000030h]	4_2_03809274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03890274 mov eax, dword ptr fs:[00000030h]	4_2_03890274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03890274 mov eax, dword ptr fs:[00000030h]	4_2_03890274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03890274 mov eax, dword ptr fs:[00000030h]	4_2_03890274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03890274 mov eax, dword ptr fs:[00000030h]	4_2_03890274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03890274 mov eax, dword ptr fs:[00000030h]	4_2_03890274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03890274 mov eax, dword ptr fs:[00000030h]	4_2_03890274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03890274 mov eax, dword ptr fs:[00000030h]	4_2_03890274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03890274 mov eax, dword ptr fs:[00000030h]	4_2_03890274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03890274 mov eax, dword ptr fs:[00000030h]	4_2_03890274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03890274 mov eax, dword ptr fs:[00000030h]	4_2_03890274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03890274 mov eax, dword ptr fs:[00000030h]	4_2_03890274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03890274 mov eax, dword ptr fs:[00000030h]	4_2_03890274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0389C188 mov eax, dword ptr fs:[00000030h]	4_2_0389C188
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0389C188 mov eax, dword ptr fs:[00000030h]	4_2_0389C188
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03820185 mov eax, dword ptr fs:[00000030h]	4_2_03820185
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF172 mov eax, dword ptr fs:[00000030h]	4_2_037DF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386019F mov eax, dword ptr fs:[00000030h]	4_2_0386019F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386019F mov eax, dword ptr fs:[00000030h]	4_2_0386019F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386019F mov eax, dword ptr fs:[00000030h]	4_2_0386019F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386019F mov eax, dword ptr fs:[00000030h]	4_2_0386019F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E6154 mov eax, dword ptr fs:[00000030h]	4_2_037E6154
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E6154 mov eax, dword ptr fs:[00000030h]	4_2_037E6154
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DC156 mov eax, dword ptr fs:[00000030h]	4_2_037DC156
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E7152 mov eax, dword ptr fs:[00000030h]	4_2_037E7152
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038911A4 mov eax, dword ptr fs:[00000030h]	4_2_038911A4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038911A4 mov eax, dword ptr fs:[00000030h]	4_2_038911A4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038911A4 mov eax, dword ptr fs:[00000030h]	4_2_038911A4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038911A4 mov eax, dword ptr fs:[00000030h]	4_2_038911A4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D9148 mov eax, dword ptr fs:[00000030h]	4_2_037D9148
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D9148 mov eax, dword ptr fs:[00000030h]	4_2_037D9148
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D9148 mov eax, dword ptr fs:[00000030h]	4_2_037D9148
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D9148 mov eax, dword ptr fs:[00000030h]	4_2_037D9148
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038B51CB mov eax, dword ptr fs:[00000030h]	4_2_038B51CB
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A61C3 mov eax, dword ptr fs:[00000030h]	4_2_038A61C3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A61C3 mov eax, dword ptr fs:[00000030h]	4_2_038A61C3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DB136 mov eax, dword ptr fs:[00000030h]	4_2_037DB136
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DB136 mov eax, dword ptr fs:[00000030h]	4_2_037DB136
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DB136 mov eax, dword ptr fs:[00000030h]	4_2_037DB136
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DB136 mov eax, dword ptr fs:[00000030h]	4_2_037DB136
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E1131 mov eax, dword ptr fs:[00000030h]	4_2_037E1131
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E1131 mov eax, dword ptr fs:[00000030h]	4_2_037E1131
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381D1D0 mov eax, dword ptr fs:[00000030h]	4_2_0381D1D0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381D1D0 mov ecx, dword ptr fs:[00000030h]	4_2_0381D1D0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038B61E5 mov eax, dword ptr fs:[00000030h]	4_2_038B61E5
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038051EF mov eax, dword ptr fs:[00000030h]	4_2_038051EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038051EF mov eax, dword ptr fs:[00000030h]	4_2_038051EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038051EF mov eax, dword ptr fs:[00000030h]	4_2_038051EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038051EF mov eax, dword ptr fs:[00000030h]	4_2_038051EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038051EF mov eax, dword ptr fs:[00000030h]	4_2_038051EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038051EF mov eax, dword ptr fs:[00000030h]	4_2_038051EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038051EF mov eax, dword ptr fs:[00000030h]	4_2_038051EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038051EF mov eax, dword ptr fs:[00000030h]	4_2_038051EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038051EF mov eax, dword ptr fs:[00000030h]	4_2_038051EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038051EF mov eax, dword ptr fs:[00000030h]	4_2_038051EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038051EF mov eax, dword ptr fs:[00000030h]	4_2_038051EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038051EF mov eax, dword ptr fs:[00000030h]	4_2_038051EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038051EF mov eax, dword ptr fs:[00000030h]	4_2_038051EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038101F8 mov eax, dword ptr fs:[00000030h]	4_2_038101F8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0388A118 mov ecx, dword ptr fs:[00000030h]	4_2_0388A118
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0388A118 mov eax, dword ptr fs:[00000030h]	4_2_0388A118
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0388A118 mov eax, dword ptr fs:[00000030h]	4_2_0388A118
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0388A118 mov eax, dword ptr fs:[00000030h]	4_2_0388A118
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E51ED mov eax, dword ptr fs:[00000030h]	4_2_037E51ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A0115 mov eax, dword ptr fs:[00000030h]	4_2_038A0115
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03810124 mov eax, dword ptr fs:[00000030h]	4_2_03810124
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03874144 mov eax, dword ptr fs:[00000030h]	4_2_03874144
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03874144 mov eax, dword ptr fs:[00000030h]	4_2_03874144
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03874144 mov ecx, dword ptr fs:[00000030h]	4_2_03874144
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03874144 mov eax, dword ptr fs:[00000030h]	4_2_03874144
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03874144 mov eax, dword ptr fs:[00000030h]	4_2_03874144
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037FB1B0 mov eax, dword ptr fs:[00000030h]	4_2_037FB1B0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038B5152 mov eax, dword ptr fs:[00000030h]	4_2_038B5152
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DA197 mov eax, dword ptr fs:[00000030h]	4_2_037DA197
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DA197 mov eax, dword ptr fs:[00000030h]	4_2_037DA197
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DA197 mov eax, dword ptr fs:[00000030h]	4_2_037DA197
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03879179 mov eax, dword ptr fs:[00000030h]	4_2_03879179
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F1070 mov eax, dword ptr fs:[00000030h]	4_2_037F1070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F1070 mov ecx, dword ptr fs:[00000030h]	4_2_037F1070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F1070 mov eax, dword ptr fs:[00000030h]	4_2_037F1070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F1070 mov eax, dword ptr fs:[00000030h]	4_2_037F1070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F1070 mov eax, dword ptr fs:[00000030h]	4_2_037F1070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F1070 mov eax, dword ptr fs:[00000030h]	4_2_037F1070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F1070 mov eax, dword ptr fs:[00000030h]	4_2_037F1070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F1070 mov eax, dword ptr fs:[00000030h]	4_2_037F1070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F1070 mov eax, dword ptr fs:[00000030h]	4_2_037F1070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F1070 mov eax, dword ptr fs:[00000030h]	4_2_037F1070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F1070 mov eax, dword ptr fs:[00000030h]	4_2_037F1070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F1070 mov eax, dword ptr fs:[00000030h]	4_2_037F1070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F1070 mov eax, dword ptr fs:[00000030h]	4_2_037F1070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380D090 mov eax, dword ptr fs:[00000030h]	4_2_0380D090
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380D090 mov eax, dword ptr fs:[00000030h]	4_2_0380D090
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381909C mov eax, dword ptr fs:[00000030h]	4_2_0381909C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E2050 mov eax, dword ptr fs:[00000030h]	4_2_037E2050
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A60B8 mov eax, dword ptr fs:[00000030h]	4_2_038A60B8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A60B8 mov ecx, dword ptr fs:[00000030h]	4_2_038A60B8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038B50D9 mov eax, dword ptr fs:[00000030h]	4_2_038B50D9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038620DE mov eax, dword ptr fs:[00000030h]	4_2_038620DE
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038090DB mov eax, dword ptr fs:[00000030h]	4_2_038090DB
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DA020 mov eax, dword ptr fs:[00000030h]	4_2_037DA020
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DC020 mov eax, dword ptr fs:[00000030h]	4_2_037DC020
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038050E4 mov eax, dword ptr fs:[00000030h]	4_2_038050E4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038050E4 mov ecx, dword ptr fs:[00000030h]	4_2_038050E4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037FE016 mov eax, dword ptr fs:[00000030h]	4_2_037FE016
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037FE016 mov eax, dword ptr fs:[00000030h]	4_2_037FE016
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037FE016 mov eax, dword ptr fs:[00000030h]	4_2_037FE016
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037FE016 mov eax, dword ptr fs:[00000030h]	4_2_037FE016
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038220F0 mov ecx, dword ptr fs:[00000030h]	4_2_038220F0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DC0F0 mov eax, dword ptr fs:[00000030h]	4_2_037DC0F0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E80E9 mov eax, dword ptr fs:[00000030h]	4_2_037E80E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DA0E3 mov ecx, dword ptr fs:[00000030h]	4_2_037DA0E3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A903E mov eax, dword ptr fs:[00000030h]	4_2_038A903E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A903E mov eax, dword ptr fs:[00000030h]	4_2_038A903E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A903E mov eax, dword ptr fs:[00000030h]	4_2_038A903E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A903E mov eax, dword ptr fs:[00000030h]	4_2_038A903E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0 mov eax, dword ptr fs:[00000030h]	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0 mov ecx, dword ptr fs:[00000030h]	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0 mov ecx, dword ptr fs:[00000030h]	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0 mov eax, dword ptr fs:[00000030h]	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0 mov ecx, dword ptr fs:[00000030h]	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0 mov ecx, dword ptr fs:[00000030h]	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0 mov eax, dword ptr fs:[00000030h]	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0 mov eax, dword ptr fs:[00000030h]	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0 mov eax, dword ptr fs:[00000030h]	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0 mov eax, dword ptr fs:[00000030h]	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0 mov eax, dword ptr fs:[00000030h]	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0 mov eax, dword ptr fs:[00000030h]	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0 mov eax, dword ptr fs:[00000030h]	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0 mov eax, dword ptr fs:[00000030h]	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0 mov eax, dword ptr fs:[00000030h]	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0 mov eax, dword ptr fs:[00000030h]	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0 mov eax, dword ptr fs:[00000030h]	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F70C0 mov eax, dword ptr fs:[00000030h]	4_2_037F70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380B052 mov eax, dword ptr fs:[00000030h]	4_2_0380B052
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0388705E mov ebx, dword ptr fs:[00000030h]	4_2_0388705E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0388705E mov eax, dword ptr fs:[00000030h]	4_2_0388705E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E5096 mov eax, dword ptr fs:[00000030h]	4_2_037E5096
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038B5060 mov eax, dword ptr fs:[00000030h]	4_2_038B5060
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DD08D mov eax, dword ptr fs:[00000030h]	4_2_037DD08D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380C073 mov eax, dword ptr fs:[00000030h]	4_2_0380C073
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E208A mov eax, dword ptr fs:[00000030h]	4_2_037E208A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0389F78A mov eax, dword ptr fs:[00000030h]	4_2_0389F78A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E8770 mov eax, dword ptr fs:[00000030h]	4_2_037E8770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F0770 mov eax, dword ptr fs:[00000030h]	4_2_037F0770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F0770 mov eax, dword ptr fs:[00000030h]	4_2_037F0770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F0770 mov eax, dword ptr fs:[00000030h]	4_2_037F0770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F0770 mov eax, dword ptr fs:[00000030h]	4_2_037F0770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F0770 mov eax, dword ptr fs:[00000030h]	4_2_037F0770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F0770 mov eax, dword ptr fs:[00000030h]	4_2_037F0770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F0770 mov eax, dword ptr fs:[00000030h]	4_2_037F0770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F0770 mov eax, dword ptr fs:[00000030h]	4_2_037F0770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F0770 mov eax, dword ptr fs:[00000030h]	4_2_037F0770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F0770 mov eax, dword ptr fs:[00000030h]	4_2_037F0770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F0770 mov eax, dword ptr fs:[00000030h]	4_2_037F0770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F0770 mov eax, dword ptr fs:[00000030h]	4_2_037F0770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DB765 mov eax, dword ptr fs:[00000030h]	4_2_037DB765
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DB765 mov eax, dword ptr fs:[00000030h]	4_2_037DB765
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DB765 mov eax, dword ptr fs:[00000030h]	4_2_037DB765
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DB765 mov eax, dword ptr fs:[00000030h]	4_2_037DB765
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386F7AF mov eax, dword ptr fs:[00000030h]	4_2_0386F7AF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386F7AF mov eax, dword ptr fs:[00000030h]	4_2_0386F7AF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386F7AF mov eax, dword ptr fs:[00000030h]	4_2_0386F7AF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386F7AF mov eax, dword ptr fs:[00000030h]	4_2_0386F7AF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386F7AF mov eax, dword ptr fs:[00000030h]	4_2_0386F7AF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E0750 mov eax, dword ptr fs:[00000030h]	4_2_037E0750
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038697A9 mov eax, dword ptr fs:[00000030h]	4_2_038697A9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380D7B0 mov eax, dword ptr fs:[00000030h]	4_2_0380D7B0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038B37B6 mov eax, dword ptr fs:[00000030h]	4_2_038B37B6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F3740 mov eax, dword ptr fs:[00000030h]	4_2_037F3740
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F3740 mov eax, dword ptr fs:[00000030h]	4_2_037F3740
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F3740 mov eax, dword ptr fs:[00000030h]	4_2_037F3740
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E973A mov eax, dword ptr fs:[00000030h]	4_2_037E973A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E973A mov eax, dword ptr fs:[00000030h]	4_2_037E973A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D9730 mov eax, dword ptr fs:[00000030h]	4_2_037D9730
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D9730 mov eax, dword ptr fs:[00000030h]	4_2_037D9730
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E3720 mov eax, dword ptr fs:[00000030h]	4_2_037E3720
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037FF720 mov eax, dword ptr fs:[00000030h]	4_2_037FF720
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037FF720 mov eax, dword ptr fs:[00000030h]	4_2_037FF720
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037FF720 mov eax, dword ptr fs:[00000030h]	4_2_037FF720
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038027ED mov eax, dword ptr fs:[00000030h]	4_2_038027ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038027ED mov eax, dword ptr fs:[00000030h]	4_2_038027ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038027ED mov eax, dword ptr fs:[00000030h]	4_2_038027ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E0710 mov eax, dword ptr fs:[00000030h]	4_2_037E0710
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E5702 mov eax, dword ptr fs:[00000030h]	4_2_037E5702
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E5702 mov eax, dword ptr fs:[00000030h]	4_2_037E5702
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E7703 mov eax, dword ptr fs:[00000030h]	4_2_037E7703
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381C700 mov eax, dword ptr fs:[00000030h]	4_2_0381C700
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E47FB mov eax, dword ptr fs:[00000030h]	4_2_037E47FB
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E47FB mov eax, dword ptr fs:[00000030h]	4_2_037E47FB
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03810710 mov eax, dword ptr fs:[00000030h]	4_2_03810710
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037ED7E0 mov ecx, dword ptr fs:[00000030h]	4_2_037ED7E0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381F71F mov eax, dword ptr fs:[00000030h]	4_2_0381F71F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381F71F mov eax, dword ptr fs:[00000030h]	4_2_0381F71F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381C720 mov eax, dword ptr fs:[00000030h]	4_2_0381C720
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381C720 mov eax, dword ptr fs:[00000030h]	4_2_0381C720
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A972B mov eax, dword ptr fs:[00000030h]	4_2_038A972B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0389F72E mov eax, dword ptr fs:[00000030h]	4_2_0389F72E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0385C730 mov eax, dword ptr fs:[00000030h]	4_2_0385C730
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03815734 mov eax, dword ptr fs:[00000030h]	4_2_03815734
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038BB73C mov eax, dword ptr fs:[00000030h]	4_2_038BB73C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038BB73C mov eax, dword ptr fs:[00000030h]	4_2_038BB73C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038BB73C mov eax, dword ptr fs:[00000030h]	4_2_038BB73C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038BB73C mov eax, dword ptr fs:[00000030h]	4_2_038BB73C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381273C mov eax, dword ptr fs:[00000030h]	4_2_0381273C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381273C mov ecx, dword ptr fs:[00000030h]	4_2_0381273C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381273C mov eax, dword ptr fs:[00000030h]	4_2_0381273C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EC7C0 mov eax, dword ptr fs:[00000030h]	4_2_037EC7C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E57C0 mov eax, dword ptr fs:[00000030h]	4_2_037E57C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E57C0 mov eax, dword ptr fs:[00000030h]	4_2_037E57C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E57C0 mov eax, dword ptr fs:[00000030h]	4_2_037E57C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038B3749 mov eax, dword ptr fs:[00000030h]	4_2_038B3749
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF7BA mov eax, dword ptr fs:[00000030h]	4_2_037DF7BA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF7BA mov eax, dword ptr fs:[00000030h]	4_2_037DF7BA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF7BA mov eax, dword ptr fs:[00000030h]	4_2_037DF7BA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF7BA mov eax, dword ptr fs:[00000030h]	4_2_037DF7BA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF7BA mov eax, dword ptr fs:[00000030h]	4_2_037DF7BA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF7BA mov eax, dword ptr fs:[00000030h]	4_2_037DF7BA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF7BA mov eax, dword ptr fs:[00000030h]	4_2_037DF7BA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF7BA mov eax, dword ptr fs:[00000030h]	4_2_037DF7BA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF7BA mov eax, dword ptr fs:[00000030h]	4_2_037DF7BA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381674D mov esi, dword ptr fs:[00000030h]	4_2_0381674D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381674D mov eax, dword ptr fs:[00000030h]	4_2_0381674D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381674D mov eax, dword ptr fs:[00000030h]	4_2_0381674D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E07AF mov eax, dword ptr fs:[00000030h]	4_2_037E07AF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822750 mov eax, dword ptr fs:[00000030h]	4_2_03822750
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822750 mov eax, dword ptr fs:[00000030h]	4_2_03822750
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03864755 mov eax, dword ptr fs:[00000030h]	4_2_03864755
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386368C mov eax, dword ptr fs:[00000030h]	4_2_0386368C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386368C mov eax, dword ptr fs:[00000030h]	4_2_0386368C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386368C mov eax, dword ptr fs:[00000030h]	4_2_0386368C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386368C mov eax, dword ptr fs:[00000030h]	4_2_0386368C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381C6A6 mov eax, dword ptr fs:[00000030h]	4_2_0381C6A6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038166B0 mov eax, dword ptr fs:[00000030h]	4_2_038166B0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037FC640 mov eax, dword ptr fs:[00000030h]	4_2_037FC640
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381A6C7 mov ebx, dword ptr fs:[00000030h]	4_2_0381A6C7
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381A6C7 mov eax, dword ptr fs:[00000030h]	4_2_0381A6C7
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A16CC mov eax, dword ptr fs:[00000030h]	4_2_038A16CC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A16CC mov eax, dword ptr fs:[00000030h]	4_2_038A16CC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A16CC mov eax, dword ptr fs:[00000030h]	4_2_038A16CC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A16CC mov eax, dword ptr fs:[00000030h]	4_2_038A16CC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0389F6C7 mov eax, dword ptr fs:[00000030h]	4_2_0389F6C7
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038116CF mov eax, dword ptr fs:[00000030h]	4_2_038116CF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E262C mov eax, dword ptr fs:[00000030h]	4_2_037E262C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037FE627 mov eax, dword ptr fs:[00000030h]	4_2_037FE627
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF626 mov eax, dword ptr fs:[00000030h]	4_2_037DF626
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF626 mov eax, dword ptr fs:[00000030h]	4_2_037DF626
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF626 mov eax, dword ptr fs:[00000030h]	4_2_037DF626
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF626 mov eax, dword ptr fs:[00000030h]	4_2_037DF626
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF626 mov eax, dword ptr fs:[00000030h]	4_2_037DF626
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF626 mov eax, dword ptr fs:[00000030h]	4_2_037DF626
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF626 mov eax, dword ptr fs:[00000030h]	4_2_037DF626
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF626 mov eax, dword ptr fs:[00000030h]	4_2_037DF626
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DF626 mov eax, dword ptr fs:[00000030h]	4_2_037DF626
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380D6E0 mov eax, dword ptr fs:[00000030h]	4_2_0380D6E0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0380D6E0 mov eax, dword ptr fs:[00000030h]	4_2_0380D6E0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E3616 mov eax, dword ptr fs:[00000030h]	4_2_037E3616
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E3616 mov eax, dword ptr fs:[00000030h]	4_2_037E3616
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038736EE mov eax, dword ptr fs:[00000030h]	4_2_038736EE
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038736EE mov eax, dword ptr fs:[00000030h]	4_2_038736EE
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038736EE mov eax, dword ptr fs:[00000030h]	4_2_038736EE
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038736EE mov eax, dword ptr fs:[00000030h]	4_2_038736EE
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038736EE mov eax, dword ptr fs:[00000030h]	4_2_038736EE
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038736EE mov eax, dword ptr fs:[00000030h]	4_2_038736EE
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F260B mov eax, dword ptr fs:[00000030h]	4_2_037F260B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F260B mov eax, dword ptr fs:[00000030h]	4_2_037F260B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F260B mov eax, dword ptr fs:[00000030h]	4_2_037F260B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F260B mov eax, dword ptr fs:[00000030h]	4_2_037F260B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F260B mov eax, dword ptr fs:[00000030h]	4_2_037F260B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F260B mov eax, dword ptr fs:[00000030h]	4_2_037F260B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037F260B mov eax, dword ptr fs:[00000030h]	4_2_037F260B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0385E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0385E6F2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0385E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0385E6F2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0385E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0385E6F2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0385E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0385E6F2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038606F1 mov eax, dword ptr fs:[00000030h]	4_2_038606F1
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038606F1 mov eax, dword ptr fs:[00000030h]	4_2_038606F1
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0389D6F0 mov eax, dword ptr fs:[00000030h]	4_2_0389D6F0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381F603 mov eax, dword ptr fs:[00000030h]	4_2_0381F603
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03811607 mov eax, dword ptr fs:[00000030h]	4_2_03811607
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0385E609 mov eax, dword ptr fs:[00000030h]	4_2_0385E609
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03822619 mov eax, dword ptr fs:[00000030h]	4_2_03822619
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03816620 mov eax, dword ptr fs:[00000030h]	4_2_03816620
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03818620 mov eax, dword ptr fs:[00000030h]	4_2_03818620
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038B5636 mov eax, dword ptr fs:[00000030h]	4_2_038B5636
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EB6C0 mov eax, dword ptr fs:[00000030h]	4_2_037EB6C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EB6C0 mov eax, dword ptr fs:[00000030h]	4_2_037EB6C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EB6C0 mov eax, dword ptr fs:[00000030h]	4_2_037EB6C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EB6C0 mov eax, dword ptr fs:[00000030h]	4_2_037EB6C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EB6C0 mov eax, dword ptr fs:[00000030h]	4_2_037EB6C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037EB6C0 mov eax, dword ptr fs:[00000030h]	4_2_037EB6C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D76B2 mov eax, dword ptr fs:[00000030h]	4_2_037D76B2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D76B2 mov eax, dword ptr fs:[00000030h]	4_2_037D76B2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037D76B2 mov eax, dword ptr fs:[00000030h]	4_2_037D76B2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DD6AA mov eax, dword ptr fs:[00000030h]	4_2_037DD6AA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037DD6AA mov eax, dword ptr fs:[00000030h]	4_2_037DD6AA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381A660 mov eax, dword ptr fs:[00000030h]	4_2_0381A660
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381A660 mov eax, dword ptr fs:[00000030h]	4_2_0381A660
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03819660 mov eax, dword ptr fs:[00000030h]	4_2_03819660
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03819660 mov eax, dword ptr fs:[00000030h]	4_2_03819660
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A866E mov eax, dword ptr fs:[00000030h]	4_2_038A866E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_038A866E mov eax, dword ptr fs:[00000030h]	4_2_038A866E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E4690 mov eax, dword ptr fs:[00000030h]	4_2_037E4690
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_037E4690 mov eax, dword ptr fs:[00000030h]	4_2_037E4690
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03812674 mov eax, dword ptr fs:[00000030h]	4_2_03812674
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_03814588 mov eax, dword ptr fs:[00000030h]	4_2_03814588
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386B594 mov eax, dword ptr fs:[00000030h]	4_2_0386B594
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0386B594 mov eax, dword ptr fs:[00000030h]	4_2_0386B594
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4_2_0381E59C mov eax, dword ptr fs:[00000030h]	4_2_0381E59C

Source: C:\Users\user\Desktop\NOVA ORDEM.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\NOVA ORDEM.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: NOVA ORDEM.exe, ---------.cs	Reference to suspicious API methods: GetProcAddress(_0E67_EE35_061B_08FD_EEBC_EEA8_EE00_EE90_0655_060B_EE31, _EE47_EE21_064B_EE2E_0619_EEDE_08F0_0E7E)
Source: NOVA ORDEM.exe, ---------.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (uint)_EE75_064E_08FD_08EE_08F2_EE24_FE75_EEA1_08CE_06EA_EE76_EE28_08FC_08CA_08C8_EE7E_08E1_0E77_EC7C_EE4F_EE5D_EEE1_ECAA_ECA4.Length, 64u, out var _EE25_EE71_EE22_EEC7_06DC_EE2C_ECA2_08F0_EECA_EE86_EE9E_EE6C_0E64)
Source: NOVA ORDEM.exe, ---------.cs	Reference to suspicious API methods: LoadLibrary(_0E6B_EE3F_EE71(_EE2E_EE27_08DF_0604_EC87_EE84_EECB_EE68._EE2B_0E79_08F5_EEB7_EEBF_EE75_EE70_0E79_EE61))

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Memory allocated: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Memory written: C:\Windows\System32\cmd.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Memory written: C:\Windows\System32\cmd.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Memory written: C:\Windows\System32\cmd.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 30E5008	Jump to behavior

Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"	Jump to behavior

Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Users\user\Desktop\NOVA ORDEM.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NOVA ORDEM.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\NOVA ORDEM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 4.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2063350156.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2062866789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 4.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2063350156.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2062866789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	311 Process Injection	3 Virtualization/Sandbox Evasion	OS Credential Dumping	131 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	3 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NOVA ORDEM.exe	34%	Virustotal		Browse
NOVA ORDEM.exe	34%	ReversingLabs	Win64.Trojan.Nekark

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.apache.org/licenses/LICENSE-2.0	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.8.dr	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	NOVA ORDEM.exe, 00000000.00000002.1787859610.0000025737ED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465902
Start date and time:	2024-07-02 08:21:54 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NOVA ORDEM.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@9/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 78% Number of executed functions: 23 Number of non-executed functions: 234
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:22:55	API Interceptor	1x Sleep call for process: WerFault.exe modified
02:23:21	API Interceptor	3x Sleep call for process: wmplayer.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_NOVA ORDEM.exe_183265296818dedab7d0b93d41b13e51f02317e6_4b8a3282_5d79ce14-7b1c-47f3-9856-1b13ca046127\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0839442403098154
Encrypted:	false
SSDEEP:	192:bIU1WdzQ3l50UnUlaWBe3ZFlnG0/zuiFaZ24lO8Qj9j:31WdzQ3YUnUlamwG2zuiFaY4lO8Qd
MD5:	E90E7C210EB4266603C38CF4907D5D60
SHA1:	E60BEA140431E7A5137068FB694C33859AEC89DB
SHA-256:	55EDE483F9D49F283F7B2322DFB7E2D0FE33CF2E6E2F9FB4AE865416FDB80124
SHA-512:	D89E3EAB0892FF0CAB93F5C87A7DD81E89D82E4907A1E4C9DCC12AB58944C8723E455E55BAA96D02BCD8DED21E35CB68EB1D0DF71706FA696596AD24615BF2E8
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.3.7.4.9.6.4.2.1.9.1.8.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.3.7.4.9.6.5.0.1.6.0.5.9.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.d.7.9.c.e.1.4.-.7.b.1.c.-.4.7.f.3.-.9.8.5.6.-.1.b.1.3.c.a.0.4.6.1.2.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.e.7.4.7.b.f.-.3.f.0.7.-.4.e.7.9.-.9.d.b.f.-.0.3.b.f.5.b.e.f.7.e.6.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.N.O.V.A. .O.R.D.E.M...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.U.g.e.x.o.n.e.l.e.x.u.d.a.p.i.v.u.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.4.0.-.0.0.0.1.-.0.0.1.4.-.5.2.a.2.-.f.b.3.d.4.8.c.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.7.5.7.8.5.6.1.3.1.b.3.2.9.9.c.c.2.5.4.5.7.4.9.5.9.d.1.1.c.2.c.0.0.0.0.0.0.0.0.!.0.0.0.0.b.e.0.2.3.d.1.c.d.b.3.6.2.5.e.a.6.1.f.9.c.6.7.3.3.a.a.f.d.b.c.3.0.7.7.6.4.6.2.d.!.N.O.V.A. .

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6844.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Tue Jul 2 06:22:44 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	468519
Entropy (8bit):	3.3896616501457184
Encrypted:	false
SSDEEP:	3072:0YjkqCtKDTsmLd8x4srf2ftBUcSEmf1CCq/RLlFV9Mv3+va/o+I:0YjkYDt+TrZHqVMv3Q
MD5:	4D675033DADD86D73C81F3EDDA539E82
SHA1:	85F042EA7158F317D248A2A321D4F2C133C61CFE
SHA-256:	C44DCF3B4537004E56877AEA02500AC4B2A6AB0B25B41F063EFF0C3D07FDC723
SHA-512:	3D45B23ECF28E84D183A53D297796D48B05ED4CB98C97D8B00AEFE6A4C9FA46E677C4A589F0144BA59687BD422AFB3311739860B734672EA42635345F8A389D9
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f............D...............d.......$...X...........\|........U..............l.......8...........T............,..g............=...........>..............................................................................eJ.......?......Lw......................T.......@......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69FA.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9054
Entropy (8bit):	3.7166687332028645
Encrypted:	false
SSDEEP:	192:R6l7wVeJ8VbLB6Y9PVWggmf46Japr+89bNHUfPJvm:R6lXJGXB6YVVWggmf4i4N0fPs
MD5:	C1020C95AC8B82F7072DB5B0AEA5FFDA
SHA1:	F61644C5F6F6A1C61746C60FEE3DA3450CC51DC7
SHA-256:	56CE8DF0D6FCB6A7150A3C2B234C62F3715E9F93BF9753AFA3EA12C1D3D0DEF4
SHA-512:	2C442ADCDDD94C632AE766B7731ADDA235FA5791459097B025964AFA1873221E54AD0B8BE3978FEC3A2F902BBA8B29513DB23E7E4B26DF45A2CD139319AC4EC0
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A2A.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4768
Entropy (8bit):	4.533684164745694
Encrypted:	false
SSDEEP:	48:cvIwWl8zscNJg771I9qNWpW8VYSYm8M4J8YTNAFpyq85QReB+2rqcT8DT281d:uIjfcnI7587VeJj+vIrqko2yd
MD5:	187F7E757351251F6EFB607EAD1A5187
SHA1:	162E060EBAF7D9DBC247BF5539EE5A2447BF7D28
SHA-256:	7777A5AA6D2661D65B5E30A1F18382FBC469B8D6972FF5CA4BF2103A3DC78A4E
SHA-512:	F6C23EBF259892F6D7ADC14BB0498A9E39BE704B9A70E43B5073B74555E9ED84D09DA27EB774FABCA3C96FA2D327472846717D3A557C927F7CD137C174066834
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="392965" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4659467420099
Encrypted:	false
SSDEEP:	6144:SIXfpi67eLPU9skLmb0b4CWSPKaJG8nAgejZMMhA2gX4WABl0uNwdwBCswSbe:XXD94CWlLZMM6YFHq+e
MD5:	EA4348A047C18811E959D26B17649065
SHA1:	0C260AC1BB3CDC7F726F0AA8473D0AFE154E8E2B
SHA-256:	4C42F883DACD2BE38B1FA02536C9C06E856243ED4D3519B987A294B9298B427E
SHA-512:	BE1F14E202723005F184FADC6443028FFCF18D36237F48852D197D94A70284C6DB36261C67842766DA8A4295A38435B574D5FD1E7EB2DF5D9D6D9350EE4A87D4
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...?H...............................................................................................................................................................................................................................................................................................................................................8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.875374057480727
TrID:	Win64 Executable Console Net Framework (206006/5) 48.58% Win64 Executable Console (202006/5) 47.64% Win64 Executable (generic) (12005/4) 2.83% Generic Win/DOS Executable (2004/3) 0.47% DOS Executable Generic (2002/1) 0.47%
File name:	NOVA ORDEM.exe
File size:	1'553'007 bytes
MD5:	136fe5a45a9e08721c4ee8ae540e7c43
SHA1:	be023d1cdb3625ea61f9c6733aafdbc30776462d
SHA256:	d58ae9bd3aa477d78a4b208ee5fcc32fb798a0f20ce30aef7a2b98c419b643be
SHA512:	673af0f9a91f03f990a622aa146e1245d4fe9730f6704e4e6e29ac6bfc9426b15e780292b909f4d6cfcbef845b847b2fceeda5c64db874ede44b30710f839473
SSDEEP:	24576:EwHQn+qL3www7jkU22gQHix+AtqHodbwWNkVS9SONQ813m:ETd3D2jH229C+OZy88
TLSH:	4F7511107E476D2BFE9A0179D0D236F512FD8E8774F6818FEF880C958C9A57D4A2A036
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."...0.................. ....@...... ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6682ACAB [Mon Jul 1 13:18:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x99c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb55e	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x95fa	0x9600	0b40e59924897bbf62422ae394faa194	False	0.588671875	data	6.454628706739244	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x99c	0xa00	3030bfa26a7aa2de61357c844a5facf8	False	0.308984375	data	4.231814438375335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc0b8	0x37c	data			0.48654708520179374
RT_VERSION	0xc434	0x37c	data	English	United States	0.48878923766816146
RT_MANIFEST	0xc7b0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: NOVA ORDEM.exePID: 1344, Parent PID: 2580

General

Target ID:	0
Start time:	02:22:41
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\NOVA ORDEM.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\NOVA ORDEM.exe"
Imagebase:	0x2571c890000
File size:	1'553'007 bytes
MD5 hash:	136FE5A45A9E08721C4EE8AE540E7C43
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1785713329.000002571E87D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1785713329.000002571E540000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3272, Parent PID: 1344

General

Target ID:	1
Start time:	02:22:41
Start date:	02/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7256, Parent PID: 1344

General

Target ID:	3
Start time:	02:22:43
Start date:	02/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\System32\cmd.exe"
Imagebase:
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: wmplayer.exePID: 7264, Parent PID: 1344

General

Target ID:	4
Start time:	02:22:43
Start date:	02/07/2024
Path:	C:\Program Files (x86)\Windows Media Player\wmplayer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Imagebase:	0x160000
File size:	166'912 bytes
MD5 hash:	A7790328035BBFCF041A6D815F9C28DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2063350156.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2063350156.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2062866789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2062866789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: wmplayer.exePID: 7272, Parent PID: 1344

General

Target ID:	5
Start time:	02:22:43
Start date:	02/07/2024
Path:	C:\Program Files (x86)\Windows Media Player\wmplayer.exe
Wow64 process (32bit):
Commandline:	"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Imagebase:
File size:	166'912 bytes
MD5 hash:	A7790328035BBFCF041A6D815F9C28DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7336, Parent PID: 1344

General

Target ID:	8
Start time:	02:22:44
Start date:	02/07/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 1344 -s 1128
Imagebase:	0x7ff7699e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: NOVA ORDEM.exePID: 1344, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	13.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B88FD35 Relevance: 4.9, Strings: 2, Instructions: 2384COMMON

Download Yara Rule

Strings

x6P., xrefs: 00007FFD9B8910D9
x6P., xrefs: 00007FFD9B8911E9

Memory Dump Source

Source File: 00000000.00000002.1789069749.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_NOVA ORDEM.jbxd

Similarity

API ID:
String ID: x6P.$x6P.
API String ID: 0-753035878
Opcode ID: d07452e60fdf762af28ab867179434ebe90dcfd9778d76e91990ecb23eaba803
Instruction ID: 4da6924d26dafff63d532f0efda222f827774d2cec79fccffd6fa8b1d09cf130
Opcode Fuzzy Hash: d07452e60fdf762af28ab867179434ebe90dcfd9778d76e91990ecb23eaba803
Instruction Fuzzy Hash: EDF27A3061DB494FE729DB28C4A14B5BBE2FF89301B0445BED4DAC72A6DE34E946C781

Function 00007FFD9B960050 Relevance: 3.3, Strings: 1, Instructions: 2085COMMON

Download Yara Rule

Strings

u}\8, xrefs: 00007FFD9B961459

Memory Dump Source

Source File: 00000000.00000002.1789878459.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_NOVA ORDEM.jbxd

Similarity

API ID:
String ID: u}\8
API String ID: 0-528539255
Opcode ID: 171d39cbc4b4ade9dcf62f76de180fa046563c40718cca6ff1af2eb6ed59cf2a
Instruction ID: fecee5ea9d83fd1eeb9e0f3b1a42e54c51e3102ac7277236c8d05f93e931c103
Opcode Fuzzy Hash: 171d39cbc4b4ade9dcf62f76de180fa046563c40718cca6ff1af2eb6ed59cf2a
Instruction Fuzzy Hash: DDD24D7191FBC99FD766CB6888E55A87FE0EF56700F0905FED089CB0A7DA246906C381

Function 00007FFD9B885D7F Relevance: 1.6, Strings: 1, Instructions: 350
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fish, xrefs: 00007FFD9B885DD0

Memory Dump Source

Source File: 00000000.00000002.1789069749.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_NOVA ORDEM.jbxd

Similarity

API ID:
String ID: fish
API String ID: 0-1064584243
Opcode ID: 4a54111af4e29fb06ed9f98faeec2d525ee6cacf0e95ff395b1147b80c7f1bb0
Instruction ID: e661c5caec2000df1bf7d79b38e7d9df93be691667b1ea7b04d0a31d67130935
Opcode Fuzzy Hash: 4a54111af4e29fb06ed9f98faeec2d525ee6cacf0e95ff395b1147b80c7f1bb0
Instruction Fuzzy Hash: B3A1F531B1DE4D0FE76CEB6898655B973E1FF99310B01057EE49BC32A2ED34A9428781

Function 00007FFD9B88A7D0 Relevance: .8, Instructions: 846COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789069749.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_NOVA ORDEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83bab7e81a654efba67dd0d62cc03ca778998ca113f2f22565b4ae0cbe5eff81
Instruction ID: d89aae997d380db652e39564ab041d378577c4b6997820eb919b1f30f9a2ad91
Opcode Fuzzy Hash: 83bab7e81a654efba67dd0d62cc03ca778998ca113f2f22565b4ae0cbe5eff81
Instruction Fuzzy Hash: 73420630B0DA0D8FDB78DB689865A7977E1EF59301F1501BEE09EC36A2DE34AD428741

Function 00007FFD9B88CC44 Relevance: .7, Instructions: 740COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789069749.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_NOVA ORDEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5ad2fff377cc7c739cf243ff75641dd7d6c213101efc10c8b0547cf7e8cb4c
Instruction ID: f29aec6d76f76ccd0d82a1462614a9250d5578bef18fb1082c0fec1b8786499e
Opcode Fuzzy Hash: 0f5ad2fff377cc7c739cf243ff75641dd7d6c213101efc10c8b0547cf7e8cb4c
Instruction Fuzzy Hash: 15228A31A0EF4A0FE369CB2884654B577D2FF99301B0545BED09AC72B6DE39A942C781

Function 00007FFD9B8814ED Relevance: .6, Instructions: 594COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789069749.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_NOVA ORDEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2079c0653ec74c7e74ef4f78c083448f3c18d047aeb03604490a576c64afedf7
Instruction ID: 2890dabae6ea20bbd2c408ab42d0384fbaf61a53e2194eabd39e00248d1a31fd
Opcode Fuzzy Hash: 2079c0653ec74c7e74ef4f78c083448f3c18d047aeb03604490a576c64afedf7
Instruction Fuzzy Hash: F9122431A1DF894FD7ADEB2888266B67BE1EF99300F1404BED09AC71A2DE34D506C741

Function 00007FFD9B88D409 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789069749.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_NOVA ORDEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39ca0d01ad1883c3b471cae7959dff92e1d12cd4aa794394d2b5ae5b59b952a
Instruction ID: 40fdfeb510527278c9817d2732186ea72836f8557b0d90a141c97a5f74e8bb2d
Opcode Fuzzy Hash: a39ca0d01ad1883c3b471cae7959dff92e1d12cd4aa794394d2b5ae5b59b952a
Instruction Fuzzy Hash: 75E15A3160EF5A4FE32DCB2884A11B177D2FF95301B15467ED4EAC72A5DE38A942C781

Function 00007FFD9B880508 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789069749.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_NOVA ORDEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77db8b2da8b9d369f558c500cd37eb7dc7f43615c426dd960c2ac3407822bc53
Instruction ID: 00cdb9254aadba039728a80463dd2b45f744030e376946d46e4d9d0657129f4c
Opcode Fuzzy Hash: 77db8b2da8b9d369f558c500cd37eb7dc7f43615c426dd960c2ac3407822bc53
Instruction Fuzzy Hash: 4191C230B19D0E4BE768EBAC94657B972D2EF9C340F51047DE42EC72E6DE38AD424241

Function 00007FFD9B88497A Relevance: 1.6, APIs: 1, Instructions: 139
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9B884A51

Memory Dump Source

Source File: 00000000.00000002.1789069749.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_NOVA ORDEM.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 97ed88d41338744338ad2d8062da5a17846838c287e3b6fafdaee4628c621f29
Instruction ID: 83b1dff16161cf4d1712495a3147b9cdc0305cabcf44a82e17f72a3feee205ec
Opcode Fuzzy Hash: 97ed88d41338744338ad2d8062da5a17846838c287e3b6fafdaee4628c621f29
Instruction Fuzzy Hash: AD413B3190DB884FD719DBA89C566E87FF0EF56321F0402AFD059C31A3CB646456C791

Function 00007FFD9B880DA5 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00007FFD9B880E3F

Memory Dump Source

Source File: 00000000.00000002.1789069749.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_NOVA ORDEM.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 46495a6298c9685c63d24bc18fcb59bf8d9ba09f4a4a9654dbef1300276864e1
Instruction ID: 594bd3568c661e536c3133c489e27702c043d1c28fb655e616336df0d7b2ecaa
Opcode Fuzzy Hash: 46495a6298c9685c63d24bc18fcb59bf8d9ba09f4a4a9654dbef1300276864e1
Instruction Fuzzy Hash: 3231B53150D7488FDB15DFA8C845BE97BF0EF56320F0442AFD089C3562D768A84ACB51

Function 00007FFD9B9610C9 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789878459.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_NOVA ORDEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceba505ddcd5610912edc71278817a26a2a8c43a4df5f8f54acaa9e45a78a19b
Instruction ID: a7d61545d51ca33735e96c72814c32afa01a8aba1f25c1dce8b00b376091bf6f
Opcode Fuzzy Hash: ceba505ddcd5610912edc71278817a26a2a8c43a4df5f8f54acaa9e45a78a19b
Instruction Fuzzy Hash: 78414935A0EA9C9FDB66DF24C8A55AC7FB0FF55304B0641FBD049C71A2DA25A945C380

Analysis Process: wmplayer.exePID: 7264, Parent PID: 1344COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	6%
Signature Coverage:	6%
Total number of Nodes:	100
Total number of Limit Nodes:	8

Executed Functions

Function 00417C63 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417CD5

Memory Dump Source

Source File: 00000004.00000002.2062866789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2a2af54928d3678a03ad332f7664ef329cdaa94ac3d1ab9d1b84da7e582a2a57
Instruction ID: 58d7297c4cdfce495d52b7614655f87b407d1bffab3a0c344d7b36e0a6d5be2b
Opcode Fuzzy Hash: 2a2af54928d3678a03ad332f7664ef329cdaa94ac3d1ab9d1b84da7e582a2a57
Instruction Fuzzy Hash: 300125B5E0410DB7DF10DBE5DC42FDEB7789B54304F008196E90897241F635EB548795

Function 0042B6B3 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?), ref: 0042B6E7

Memory Dump Source

Source File: 00000004.00000002.2062866789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 0669bdc38ca90cdfe594c13d841d33f2640e0aa297ca3699aecab2a0a37edd70
Instruction ID: b2e7eecf5250200ca730ffc6990241c6a09b1657561de58db88849e9ea1a031b
Opcode Fuzzy Hash: 0669bdc38ca90cdfe594c13d841d33f2640e0aa297ca3699aecab2a0a37edd70
Instruction Fuzzy Hash: 82E04F766442147BD120EA5ADC41F9B776CEBC5714F00802AFA08A7281C675BA0587B4

Function 038235C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 038235CA

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 802363e99e7f0329701bf90510837ac2dde111c6179e3c6112dc026a86dbd55d
Instruction ID: 0815461cb93409aa3e0101423a95a930bd72f1cbf2c2e0070ef8befa9253425f
Opcode Fuzzy Hash: 802363e99e7f0329701bf90510837ac2dde111c6179e3c6112dc026a86dbd55d
Instruction Fuzzy Hash: 4C90023160550806D100B1984514706101587D1201F75C451B142C578D87958A5975E3

Function 03822B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03822B6A

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e314d72f29f88a376f6e39403ca2bdca7af1221500fe8f189a2ddb8eef4049ea
Instruction ID: a3b34e34cda107bf88bf37d08a57dcd9c38171e8f01e2202ba06cea73b119baa
Opcode Fuzzy Hash: e314d72f29f88a376f6e39403ca2bdca7af1221500fe8f189a2ddb8eef4049ea
Instruction Fuzzy Hash: 0B900261202404074105B1984414616401A87E1201B65C061F201C5A0DC62589997166

Function 03822DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03822DFA

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c774a532866f2157ef2d993e98d4ed13c5da70016d112ddbf77d91f5b7852c99
Instruction ID: 7bac69d97808105fbc721ae5994d0b7359f4161c0975406f9c619155c4454d1a
Opcode Fuzzy Hash: c774a532866f2157ef2d993e98d4ed13c5da70016d112ddbf77d91f5b7852c99
Instruction Fuzzy Hash: E690023120140817D111B1984504707001987D1241FA5C452B142C568D97568A5AB162

Function 03822C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03822C7A

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: df20e327e1c4523750579de92f439892768cf3ead263a9dc5b5ac292e736c4a3
Instruction ID: 6f6f6af2ff554deb1d78274aa82ca77e708aead6648f78122d795c6933562737
Opcode Fuzzy Hash: df20e327e1c4523750579de92f439892768cf3ead263a9dc5b5ac292e736c4a3
Instruction Fuzzy Hash: B190023120148C06D110B198840474A001587D1301F69C451B542C668D879589997162

Function 00417CDF Relevance: 1.5, APIs: 1, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417CD5

Memory Dump Source

Source File: 00000004.00000002.2062866789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 90b6c3c9ac0befac9a8d2a350b687bb3bdf7c8a88b1e282de4888c3ad1aa0f35
Instruction ID: 12065a0d686a507848fde3d9e370d834f19c075235e2d5626990fd7503662ebb
Opcode Fuzzy Hash: 90b6c3c9ac0befac9a8d2a350b687bb3bdf7c8a88b1e282de4888c3ad1aa0f35
Instruction Fuzzy Hash: DFF09672E0010DBEDB10E6A4DC52FDEBB78EB41204F148256F51CA7181F674AB59CBD1

Function 00417CE3 Relevance: 1.5, APIs: 1, Instructions: 41
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417CD5

Memory Dump Source

Source File: 00000004.00000002.2062866789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: c50bf08d5b4a0f303d051ac3af90394d6b3ff5d2ef49c6d8a7621cb9fe6756dc
Instruction ID: fadc8b6f9437e1ee4de9b349dc43c5f5fb35f6b38683b7692d6199023fa8e095
Opcode Fuzzy Hash: c50bf08d5b4a0f303d051ac3af90394d6b3ff5d2ef49c6d8a7621cb9fe6756dc
Instruction Fuzzy Hash: 56F090B1A0010DBBDB10E695DC82FDEBB7CEB41604F008256F51867281F674EB598BD1

Function 0042B9C3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E3D8,?,?,00000000,?,0041E3D8,?,?,?), ref: 0042B9FF

Memory Dump Source

Source File: 00000004.00000002.2062866789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ed7d21027044886f978c83a113bccda9666778a1c97403e15d2f395d1fb0ff49
Instruction ID: 4e81dad071568856e1fcf5b99d69735336a791c3b06c8117d03e5cdb49f0bc9c
Opcode Fuzzy Hash: ed7d21027044886f978c83a113bccda9666778a1c97403e15d2f395d1fb0ff49
Instruction Fuzzy Hash: 5AE06DB62442057BD614EF59EC41EAB33ACEFC8710F004029FA08A7242C674B9108AB8

Function 0042BA13 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,58568815,00000007,00000000,00000004,00000000,00417540,000000F4,?,?,?,?,?), ref: 0042BA4F

Memory Dump Source

Source File: 00000004.00000002.2062866789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 103930c8676304e525cbbca16c8c5ef2aaafcea68ad1299efbfa8f8dea43dc69
Instruction ID: 3c9acdfa4504b35df47397d79eed48e99ddddbce450f74ce8daa467883b14755
Opcode Fuzzy Hash: 103930c8676304e525cbbca16c8c5ef2aaafcea68ad1299efbfa8f8dea43dc69
Instruction Fuzzy Hash: 4CE06DB22042047BC610EF59EC41F9B73ACEFC9710F004419FA08A7241C674B9158AB8

Function 0042BA63 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?), ref: 0042BA97

Memory Dump Source

Source File: 00000004.00000002.2062866789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: c064f79d94f5c62ac8909f9f975fc53369e88c7666af57c81581eddb17574ead
Instruction ID: b7462853456bf83731f0a88859885a41d37f18b1613878a54ffae7aa0ce994fa
Opcode Fuzzy Hash: c064f79d94f5c62ac8909f9f975fc53369e88c7666af57c81581eddb17574ead
Instruction Fuzzy Hash: 41E086766002147BD120EB5AEC41FDB776CDFC5714F404419FA0D67145C67579108BF4

Function 03822C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03822C24

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3fb5002dca7f3912cc75190f18ac458bb33613af8e011b1e3651d0c618c11694
Instruction ID: 3e6f2f20fdc3cee90ec1e2c58820adbbd436e214b53e3db16ca7c5a98622682b
Opcode Fuzzy Hash: 3fb5002dca7f3912cc75190f18ac458bb33613af8e011b1e3651d0c618c11694
Instruction Fuzzy Hash: 2FB09B719015D5C9DA51E7A046087177D1467D1701F29C4E1E3038651E4739C1D5F1B6

Non-executed Functions

Function 03862349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

LdrpInitializeExecutionOptions, xrefs: 0386317D
RaiseExceptionOnPossibleDeadlock, xrefs: 03862579
DisableHeapLookaside, xrefs: 0386246D
DisableExceptionChainValidation, xrefs: 0386275F
ExecuteOptions, xrefs: 038625A0
TracingFlags, xrefs: 03862549
MaxLoaderThreads, xrefs: 038624EC
@, xrefs: 03862942
MaxDeadActivationContexts, xrefs: 03862D82
UseImpersonatedDeviceMap, xrefs: 0386251C
CFGOptions, xrefs: 03862967
GlobalFlag, xrefs: 03862F3F, 03863059
MinimumStackCommitInBytes, xrefs: 03862BB0
FrontEndHeapDebugOptions, xrefs: 03862489
ShutdownFlags, xrefs: 038624A1
minkernel\ntdll\ldrinit.c, xrefs: 03863187
@, xrefs: 03862B74
Initializing the application verifier package failed with status 0x%08lx, xrefs: 03863176
UnloadEventTraceDepth, xrefs: 038624C0
GlobalFlag2, xrefs: 03862FC0

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 9a1a120379d6e8707e44a7c65aa064f563b19acf518bdffe7c4284f4973f53d2
Instruction ID: 5c9404567c38773a004b35d157e76a6bd77d25045cf2db84c153dd8a631c8127
Opcode Fuzzy Hash: 9a1a120379d6e8707e44a7c65aa064f563b19acf518bdffe7c4284f4973f53d2
Instruction Fuzzy Hash: 13928B75604745AFE720DFA4C880B6BB7E8BB84714F084CADFA94DB291D770E844CB92

Function 03818620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Address of the debug info found in the active list., xrefs: 038554AE, 038554FA
Invalid debug info address of this critical section, xrefs: 038554B6
Critical section address., xrefs: 03855502
8, xrefs: 038552E3
corrupted critical section, xrefs: 038554C2
undeleted critical section in freed memory, xrefs: 0385542B
Critical section address, xrefs: 03855425, 038554BC, 03855534
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0385540A, 03855496, 03855519
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 038554E2
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 038554CE
Thread identifier, xrefs: 0385553A
double initialized or corrupted critical section, xrefs: 03855508
Thread is in a state in which it cannot own a critical section, xrefs: 03855543
Critical section debug info address, xrefs: 0385541F, 0385552E

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: e7b1a0308bb56d4368de300217bd3018ab58d2ecc42cdae876febcf61a77208c
Instruction ID: 5adbd08f53b88bdb207553c2f21842e4c995fcc90b6f27351e3379bd55373249
Opcode Fuzzy Hash: e7b1a0308bb56d4368de300217bd3018ab58d2ecc42cdae876febcf61a77208c
Instruction Fuzzy Hash: B181ADB0A00358BFDB20CFD4C845BAEBBB9BB4A714F144199F919FB241D3B5A940CB51

Function 038912ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 038918A5
Free Heap block %p modified at %p after it was freed, xrefs: 0389171B
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 0389186B
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 0389176D
HEAP[%wZ]: , xrefs: 038916CD, 038916F9, 03891749, 0389179B, 038917FC, 03891840, 038918D9
HEAP: , xrefs: 03891706, 03891756, 038917A8, 03891809, 0389184D, 03891895, 038918E6
Heap block at %p is not last block in segment (%p), xrefs: 038917B7
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 038918F8
Heap block at %p has incorrect segment offset (%x), xrefs: 0389181A

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: c5afc5e63fab14bfc7a0f25fe80f83dac33beb51b9c7bcd150c12234a6e7351f
Instruction ID: afa9d14c90fc9ed0fdd02ca55a9807f19ad8d1ab7e6d71cb38d2127209d896d8
Opcode Fuzzy Hash: c5afc5e63fab14bfc7a0f25fe80f83dac33beb51b9c7bcd150c12234a6e7351f
Instruction Fuzzy Hash: 5212CE74608646EFEB25CFA8C449BBAB7F5EF09714F0D849AE496CB641D734E880CB50

Function 037DD34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

Control Panel\Desktop, xrefs: 037DD45D
MachinePreferredUILanguages, xrefs: 037DD685
PreferredUILanguagesPending, xrefs: 0383A8DE
@, xrefs: 037DD663
@, xrefs: 037DD49D
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 037DD3B6
@, xrefs: 037DD3E9
PreferredUILanguages, xrefs: 037DD4B8, 037DD4C5
Control Panel\Desktop\MuiCached, xrefs: 037DD62B

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: b3115047045a5b5c1305eda4bc965f8b2edd75e1478c404ded953471e6a880b5
Instruction ID: 371a413ba961012718ee9f6a6d3f88f57768871fd310f4e83cd229f0c2a58db1
Opcode Fuzzy Hash: b3115047045a5b5c1305eda4bc965f8b2edd75e1478c404ded953471e6a880b5
Instruction Fuzzy Hash: 21B19A725083519FC725DF68C880B6BBBF8AF88754F05496EF899DB240D734D948CB92

Function 03879179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

\Sessions, xrefs: 03879488
\AppContainerNamedObjects, xrefs: 038794AB, 038794B9
%s\%u-%u-%u-%u, xrefs: 03879422
\BaseNamedObjects, xrefs: 0387949E
BaseNamedObjects, xrefs: 03879477, 0387947C
AppContainerNamedObjects, xrefs: 0387946E, 038794D6
%s\%ld\%s, xrefs: 0387948D
Global\Session\%ld%s, xrefs: 038794C5

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: b710f1313b426a07b6f00dbfbb933a8a4bffdedd5df344ad1e46d1510f07c05b
Instruction ID: 5b7de9fd7140ce819ae3ef2d1baa760d5a83a434da47f44f968b5b3b2339280c
Opcode Fuzzy Hash: b710f1313b426a07b6f00dbfbb933a8a4bffdedd5df344ad1e46d1510f07c05b
Instruction Fuzzy Hash: E4D1F3B2804355AFD731DA94C880B6BB7EDAF84754F050AADFA94DB250E770CA44CB92

Function 03890274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 038904D3
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0389069F
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 038906EA
RtlReAllocateHeap, xrefs: 038902BF, 03890362
HEAP[%wZ]: , xrefs: 03890399, 038904A8, 038905D0, 03890675, 038906CC
HEAP: , xrefs: 038903A6, 038904B5, 038905DD, 03890682, 038906D9
Just reallocated block at %p to %Ix bytes, xrefs: 038905F1
About to reallocate block at %p to %Ix bytes, xrefs: 038903BA

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 4abcddeed65dc1b6d5346e4bc0e547898ad977815c9bee6d98818b0af926e3f4
Instruction ID: 1c00a4f28c1c5b79d5715b6ce2c3ad9249a3885333e41c17496081ae72b6c884
Opcode Fuzzy Hash: 4abcddeed65dc1b6d5346e4bc0e547898ad977815c9bee6d98818b0af926e3f4
Instruction Fuzzy Hash: F6D1BCB5501785DFEF12EFA8C444AADBBF1FF4A614F0C809AE485DB252C7359981CB11

Function 037DD08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

Control Panel\Desktop\LanguageConfiguration, xrefs: 037DD196
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 037DD0CF
@, xrefs: 037DD2AF
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 037DD2C3
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 037DD146
@, xrefs: 037DD313
@, xrefs: 037DD0FD
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 037DD262

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: a611dd49e251965431e3e1d5e7a62c8cd9a26b133567d21920b82ef30494b6d8
Instruction ID: cea991a6e9a6db0f5798983255ea0888ace1de92aceac3e8d3bd697dcdcff734
Opcode Fuzzy Hash: a611dd49e251965431e3e1d5e7a62c8cd9a26b133567d21920b82ef30494b6d8
Instruction Fuzzy Hash: 81A156729083559FD721CF64C484BABBBF8BF88715F00496EE698DA240E774D948CB93

Function 037DF172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

((LONG)FreeEntry->Size > 1), xrefs: 0383E0B3
(!TrailingUCR), xrefs: 0383E3A9
(LONG)FreeEntry->Size > 1, xrefs: 0383E291
HEAP[%wZ]: , xrefs: 0383DF57, 0383E09B, 0383E279, 0383E391
HEAP: , xrefs: 0383DF64, 0383E0A8, 0383E286, 0383E39E
(UCRBlock != NULL), xrefs: 0383DF6F

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 2655be971a9b9c9c9643dc70e495fefb8509f8bf2fc2a4f4afd917096a1d1167
Instruction ID: 272f6f5850ca1ed2edfa5b38b6f660e1e8b38cfc91ad66ea754f8e8fdef81fbc
Opcode Fuzzy Hash: 2655be971a9b9c9c9643dc70e495fefb8509f8bf2fc2a4f4afd917096a1d1167
Instruction Fuzzy Hash: E442DB762097819FC715DF68C884B6ABBF5FF89204F0849ADE486CB352D730E845CB92

Function 037FB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 038484D0
API set, xrefs: 038483F4, 038483F9
SxS, xrefs: 038483ED
DLL %wZ was redirected to %wZ by %s, xrefs: 038483FC
LdrpPreprocessDllName, xrefs: 03848403, 038484D7
minkernel\ntdll\ldrutil.c, xrefs: 0384840D, 038484E1

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: 0d32e792cfe38c6a39065b5084ae5f9ce8274fa8ece7007cd7c0ed380c0e9b99
Instruction ID: d995d86284f5f5eda950f7775033dfb9e5c8aa8ecdd5503798d93ef33f6d237f
Opcode Fuzzy Hash: 0d32e792cfe38c6a39065b5084ae5f9ce8274fa8ece7007cd7c0ed380c0e9b99
Instruction Fuzzy Hash: 46C11771A002199FDB24DBA8C890BBEB7B5FF49310F1840A9EA05DF791E7B4D944D391

Function 038163FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 0385413A
_LdrpInitialize, xrefs: 038540DF, 03854141, 03854205, 0385425F
minkernel\ntdll\ldrinit.c, xrefs: 038540E9, 0385414B, 0385420F, 03854269
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 038541FE
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 038540D8
Delaying execution failed with status 0x%08lx, xrefs: 03854258

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: a95e0d58a821a4abe8e82467af66b2cb3ab0024033504d2837fb514eebfb999a
Instruction ID: a36ef7f6917088ac830ef2b3cc1aa17e1e5a79a3a69ef7faa612a061f8c6b3be
Opcode Fuzzy Hash: a95e0d58a821a4abe8e82467af66b2cb3ab0024033504d2837fb514eebfb999a
Instruction Fuzzy Hash: F6918D71A017689FDB24EFE5D844BAD77B8AF01B24F1801EDED50EB285E7B09490C791

Function 0381C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 0381C6C4
Loading import redirection DLL: '%wZ', xrefs: 03858170
minkernel\ntdll\ldrinit.c, xrefs: 0381C6C3
LdrpInitializeImportRedirection, xrefs: 03858177, 038581EB
minkernel\ntdll\ldrredirect.c, xrefs: 03858181, 038581F5
Unable to build import redirection Table, Status = 0x%x, xrefs: 038581E5

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 31d4f8d9c2a4cb7891f97b2d0dc2b9d0485c684e0e760e1d096f1ff48669651b
Instruction ID: 64f2c0b21df59ae3b66bbfe74a28ce1c662cfcb55ccd810d19ab1390015b4ccc
Opcode Fuzzy Hash: 31d4f8d9c2a4cb7891f97b2d0dc2b9d0485c684e0e760e1d096f1ff48669651b
Instruction Fuzzy Hash: 2A31C2B97947459FD214EBA8DD45E2AB7A5AF84B10F04059CF884EB291E660EC04CBA3

Function 03812674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0385219F
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 038521BF
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 03852178
RtlGetAssemblyStorageRoot, xrefs: 03852160, 0385219A, 038521BA
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 03852180
SXS: %s() passed the empty activation context, xrefs: 03852165

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 31e43bd6893f4236f9ac848b036a6c248ae6db1d04b489a3717e6cbf4ca7faae
Instruction ID: a132ba5bf263610eac869df7de41ddf8fe7e89d73ae7ca5ff0fb8d45222ffff6
Opcode Fuzzy Hash: 31e43bd6893f4236f9ac848b036a6c248ae6db1d04b489a3717e6cbf4ca7faae
Instruction Fuzzy Hash: D8310676E402546FE721DADA9C41F5FB7BCEB54B40F0948DDBA04EB241DA70EA10CBA1

Function 038051EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-SKU, xrefs: 0380542B
Kernel-MUI-Number-Allowed, xrefs: 03805247
WindowsExcludedProcs, xrefs: 0380522A
Kernel-MUI-Language-Disallowed, xrefs: 03805352
Kernel-MUI-Language-Allowed, xrefs: 0380527B

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: f77bf2df85c4e607c65fae9369c927729288c39278eae0cccafe1cf1cebec379
Instruction ID: 854b9859c6ba66a9ff667fedc72e674f1bc557edea2cd74e8305e9ce7768c314
Opcode Fuzzy Hash: f77bf2df85c4e607c65fae9369c927729288c39278eae0cccafe1cf1cebec379
Instruction Fuzzy Hash: 15F13C76D04219EFCB15DFE9C980AEEBBB9FF49610F15409AE501EB250D6749E01CBA0

Function 0380D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

$, xrefs: 0380D86D
LdrShutdownProcess, xrefs: 0384F2CE
$, xrefs: 0380D900
Process 0x%p (%wZ) exiting, xrefs: 0384F2C7
minkernel\ntdll\ldrinit.c, xrefs: 0384F2D8

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 0-1975516107
Opcode ID: 207179b8a285a7321df468d96fe5c37cf12a03e24877e084853eb04843943f03
Instruction ID: af5e37fc36096dcbadecec1fdae19896612d5d48999905cfbe021c8306dd7c02
Opcode Fuzzy Hash: 207179b8a285a7321df468d96fe5c37cf12a03e24877e084853eb04843943f03
Instruction Fuzzy Hash: 24510076E00749DFCB54EFE8C88479DBBB1BF49308F2845E9C401AB295D774A859CB90

Function 037D76B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

, passed to %s, xrefs: 0383B040
RtlFreeHeap, xrefs: 0383B03F
Invalid heap signature for heap at %p, xrefs: 0383B02F
HEAP[%wZ]: , xrefs: 0383B016
HEAP: , xrefs: 0383B023

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: 8ec02df91ae3d82d2d930ddc4632bf16b8a912e9b7ec0be01689ae977944b6eb
Instruction ID: 6791fe0c90dce65c14f709640314a29a516cf8b130046ae9404f16a81252c798
Opcode Fuzzy Hash: 8ec02df91ae3d82d2d930ddc4632bf16b8a912e9b7ec0be01689ae977944b6eb
Instruction Fuzzy Hash: 1601D8B61096C0DFD229E759941EFD6B7F4DF43A30F19409DE0558F751CAA49880C560

Function 037F70C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 037F7C6D, 037F8670
HEAP: , xrefs: 037F7C7C, 037F867F
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 037F7C96, 037F8696

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 0e6d869144549adf33dbf6f347e7951432eb40133c0aaa5b9671fc7c0792790b
Instruction ID: 3cee517b7f45de4c52fe5c3930f9d6006eb6ad2e2484fb49e25b50f5090cca05
Opcode Fuzzy Hash: 0e6d869144549adf33dbf6f347e7951432eb40133c0aaa5b9671fc7c0792790b
Instruction Fuzzy Hash: 5913BE74A00655DFDB28CF68C880BA9FBF1FF49304F1881A9DA59AB381D734A945CF91

Function 037F1070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 0384588F
@, xrefs: 03845A53
HEAP[%wZ]: , xrefs: 03845877
HEAP: , xrefs: 03845884

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 0-3570731704
Opcode ID: b91c023c7a28a334a3fb8eda6268d0db3052c6756bed9362234f0ed88cac60fa
Instruction ID: 02a714a0e0ccc6e0b3115b9216f3a1a1b504d8cc1921be7d0c5ea84ecc76e4b0
Opcode Fuzzy Hash: b91c023c7a28a334a3fb8eda6268d0db3052c6756bed9362234f0ed88cac60fa
Instruction Fuzzy Hash: C1924875A01268CFEB24DF68C884BA9B7B5BF45314F1981EAD949EB380D7349E80CF51

Function 037EA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Exit, xrefs: 037EA3FF
6, xrefs: 037EA3F7
LdrResFallbackLangList Enter, xrefs: 037EA3EF
8, xrefs: 037EA3E7

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 167e622b1ce12697aa01ceff6c82e31fb7308ad3e7a485c1d54eda837292a773
Instruction ID: 13cf749503fda983bc6eaa08bac3595889ac4d73578ab088ec6bf3bbc4b089c0
Opcode Fuzzy Hash: 167e622b1ce12697aa01ceff6c82e31fb7308ad3e7a485c1d54eda837292a773
Instruction Fuzzy Hash: 6DC18975508386CFC761CF68C044B6AB7F4BF89704F0489AAF896CB650E735CA49CB62

Function 0381273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 038522B6
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 038521D9, 038522B1
SXS: %s() passed the empty activation context, xrefs: 038521DE
.Local, xrefs: 038128D8

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 78a5deb6d76601c030a40c28434867189c4c72573e17e5ac4796ec430df77f0c
Instruction ID: 9f1208ce815126eb2c7d717c0cd17acc68110cc5576eea97e4aafc290dfefb1d
Opcode Fuzzy Hash: 78a5deb6d76601c030a40c28434867189c4c72573e17e5ac4796ec430df77f0c
Instruction Fuzzy Hash: A9A1923590022D9FCB24CFA8D884BA9B3B9BF58314F1949E9D818EB351D7309E90CF90

Function 037DF626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0383E563
HEAP[%wZ]: , xrefs: 0383E3FE
HEAP: , xrefs: 0383E54E
`, xrefs: 0383E428

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 0-2586055223
Opcode ID: 9a5962ccc8c6e879f6dcbea2ff873643fe60a7570057265cfe03e441ae7bb8fd
Instruction ID: 4238a01dabf7191c06b9024e86453b9f76fadbe5e332b1a0febad116bf3cbe8e
Opcode Fuzzy Hash: 9a5962ccc8c6e879f6dcbea2ff873643fe60a7570057265cfe03e441ae7bb8fd
Instruction Fuzzy Hash: F061E376205780AFE721DBA8C848F67B7F8EF85714F080499E995CB391D734E941CBA2

Function 038911A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 03891261
This is located in the %s field of the heap header., xrefs: 038912D6
HEAP[%wZ]: , xrefs: 0389123D, 038912B7
HEAP: , xrefs: 0389124A, 0389125D, 0389125F, 038912C4

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: 1fa2a353f60fddb9d2b87cdd89bb9a34ffc8932e5dcc7cab698194d71fc7d694
Instruction ID: c63b305ae5e150f72dbdebe6e70d38212312d705b94650b1435ea1567f8ce035
Opcode Fuzzy Hash: 1fa2a353f60fddb9d2b87cdd89bb9a34ffc8932e5dcc7cab698194d71fc7d694
Instruction Fuzzy Hash: 6A312875204255EFEB10EBE8C889FAAB3F9EF05624F1D40D6F442CF291D630AC40C655

Function 037D9148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

VirtualQuery Failed 0x%p %x, xrefs: 0383BAF7
HEAP[%wZ]: , xrefs: 0383BAA0, 0383BADD
HEAP: , xrefs: 0383BAAD, 0383BAEA
VirtualProtect Failed 0x%p %x, xrefs: 0383BABA

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: aa04782ca9a5ec357eb555c2cc9d3b28117ca537766c58556dcb5bfe78a6f506
Instruction ID: 1dd50f1215c70bdfaf202abf04c680aaafcbf867381ef2082abf72e6969730b2
Opcode Fuzzy Hash: aa04782ca9a5ec357eb555c2cc9d3b28117ca537766c58556dcb5bfe78a6f506
Instruction Fuzzy Hash: E131D276601244EFCB01DB88C888FEEBBB8EF46730F294095E915EB291D770ED40CA60

Function 037F0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 038450BD
HEAP[%wZ]: , xrefs: 038450AE
(UCRBlock->Size >= *Size), xrefs: 038450CA

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: de41234cda51b06c84fca5cdaade6d5b4764f9a4678e1f50cf859f0bd25c7aab
Instruction ID: 6db27aaec011aa4e9df853c32653e2bbe480b4cc21f3956dbe325b59c3336723
Opcode Fuzzy Hash: de41234cda51b06c84fca5cdaade6d5b4764f9a4678e1f50cf859f0bd25c7aab
Instruction Fuzzy Hash: 37F1BB74A00609EFEB15CFA8C884B6EB7B5FF45304F1881A9E516DB782D734E981CB91

Function 037EB6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 037EB702
MUI, xrefs: 037EB6D8, 037EB7E7
LdrResGetRCConfig Exit, xrefs: 037EB714

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: cdadda6cfb0163b423e78d22c59bdb230d05f5351afdb3348250f452f339cdc6
Instruction ID: 2b6842b3e388ac2afca8488ade73be5865b5c06e851f2a8e6ca524ab849e2ff7
Opcode Fuzzy Hash: cdadda6cfb0163b423e78d22c59bdb230d05f5351afdb3348250f452f339cdc6
Instruction Fuzzy Hash: B7B1A139A087099FDB25DFA9C880BADF7B5AF48314F1844ADE851EBB90D770E850CB40

Function 0386368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

\SystemRoot\system32\, xrefs: 03863842
DelegatedNtdll, xrefs: 038636CE
@, xrefs: 0386389F

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: @$DelegatedNtdll$\SystemRoot\system32\
API String ID: 0-2391371766
Opcode ID: 32999a851c63eab873c5b100e6d9695da1107ae6c927574b59e060293a9100b1
Instruction ID: b86705a0d00aa2610cd1775276ab8cb97d2d63f61d0492c1d420e664d50423c2
Opcode Fuzzy Hash: 32999a851c63eab873c5b100e6d9695da1107ae6c927574b59e060293a9100b1
Instruction Fuzzy Hash: 7CB1BD79604745AFE311DE94CC80F6BBBE8FB44714F5448A9FA51DB2A0D7B0E844CB92

Function 037DA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 0383C2E6
UseFilter, xrefs: 037DA1C1
\??\, xrefs: 0383C1E4

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 6bcd60098a4ff54d41fa3a4a05e70229d8b73d12b802908824ebfce8738e0480
Instruction ID: 5c97f54cf1f9536e34a11320e0342364e588286dc15c111d5c63a070f3d9ff52
Opcode Fuzzy Hash: 6bcd60098a4ff54d41fa3a4a05e70229d8b73d12b802908824ebfce8738e0480
Instruction Fuzzy Hash: 6AA18B759012299BDB71DFA4CC88BAAB7B8FF45710F0401E9E909EB250D735AE84CF91

Function 038736EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

LdrpResMapFile Enter, xrefs: 03873715
@, xrefs: 03873867
LdrpResMapFile Exit, xrefs: 03873727

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
API String ID: 0-318774311
Opcode ID: badc5be6d3cb12f413305975984b6de690f23b811ee80b0b8b5cfdcdd31358d1
Instruction ID: 1c6150d2b36bb9a024b57d0d06992e3b11915a47b48d0a2525a56afcaf5db245
Opcode Fuzzy Hash: badc5be6d3cb12f413305975984b6de690f23b811ee80b0b8b5cfdcdd31358d1
Instruction Fuzzy Hash: EE819B79608341AFE311DB94C884B6ABBE9FF85754F0809ADB990DB390D7B4D904CB93

Function 0381909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 03819148
&, xrefs: 03855CF8
%, xrefs: 03855D3F

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: 483cd16fc121575f91044d4871aaeac3193f2853101084f317d1e30184c0b564
Instruction ID: 3af29870b8b87ed805c0c37b892064cf90ee563c92bce6f04205f67786c654f2
Opcode Fuzzy Hash: 483cd16fc121575f91044d4871aaeac3193f2853101084f317d1e30184c0b564
Instruction Fuzzy Hash: EC71CD706083059FC750DFA8C490A2BFBE9BF85718F18499DF8AACB240D730D959CB92

Function 038BB73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

GlobalizationUserSettings, xrefs: 038BB834
TargetNtPath, xrefs: 038BB82F
\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 038BB82A

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: 3ef6cb752f6560a703bd6a0c44f112feb40e4474fe872b235da4eadd70b15657
Instruction ID: 303bbbd332256544e0b4956210091c4e556bb38f27968d82bcec9256dbab9fc6
Opcode Fuzzy Hash: 3ef6cb752f6560a703bd6a0c44f112feb40e4474fe872b235da4eadd70b15657
Instruction Fuzzy Hash: 6F616D72941629AFDB22DF94CC88BDAB7B8AF04714F0101E5A508EB350DB749E84CF90

Function 037DF7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0383E6C6
HEAP[%wZ]: , xrefs: 0383E6A6
HEAP: , xrefs: 0383E6B3

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 1e1e4585be94941b01538a7fdf79e2f528fc7e8210bce23ec1220326e0cd5259
Instruction ID: 3db4875688cfbc564ae0e1a854bfee9bdcb733e248d5002fee1e3d88e951cb84
Opcode Fuzzy Hash: 1e1e4585be94941b01538a7fdf79e2f528fc7e8210bce23ec1220326e0cd5259
Instruction Fuzzy Hash: FD51C235604784EFE712DBA8C844BAABBF8AF05300F0800A5E582DB792D774E950DB51

Function 0381C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 038582DE
Failed to reallocate the system dirs string !, xrefs: 038582D7
minkernel\ntdll\ldrinit.c, xrefs: 038582E8

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 38e151a5975cb0c8dfb767ee916c79b05c5824640b167c14e22e1153831b4679
Instruction ID: 7b83833bd2a76758a013bf4fad897d4ec851c96b9f6a591fffc93a233d1204af
Opcode Fuzzy Hash: 38e151a5975cb0c8dfb767ee916c79b05c5824640b167c14e22e1153831b4679
Instruction Fuzzy Hash: A041C1BA645704ABC720FBA8EC44B5B77F8AB44750F0449AAF954DB290E7B0D810CB92

Function 038116CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrtls.c, xrefs: 03851B4A
TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 03851B39
LdrpAllocateTls, xrefs: 03851B40

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: 034bbf88ca9b1a86d5d9bd6e839b85fb8e72633854768f3a20f8979d8f357b7f
Instruction ID: 549ce2fe8fa6e0aa1fc6e5d4e6a94150c1b96d3821b878f0db5a631462508e23
Opcode Fuzzy Hash: 034bbf88ca9b1a86d5d9bd6e839b85fb8e72633854768f3a20f8979d8f357b7f
Instruction Fuzzy Hash: 8D41BFB9A01609AFDB15DFA8C844BADFBF5FF48718F148599E505E7304E774A810CB90

Function 0389C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 0389C212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0389C1C5
@, xrefs: 0389C1F1

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 49b452848e88933cf0f829a64d7b8b2901e73626e5170fdf4e5d1f3d48e06ef9
Instruction ID: d793ca21568aea83a5519b0fe785532385a49ad1681c2ca570b1bcc147cf1e55
Opcode Fuzzy Hash: 49b452848e88933cf0f829a64d7b8b2901e73626e5170fdf4e5d1f3d48e06ef9
Instruction Fuzzy Hash: A0417275E00219EBEF10DBE8C851BEEFBB8AB45704F0840ABE515EB250D7759A44CB50

Function 03874144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 03874172
LdrpResValidateFilePath Enter, xrefs: 03874160
@, xrefs: 03874225

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 2667ca07a95f40ae6af8716d9e11d80935e87e4b4c45e78aa402cf8b11dc1f84
Instruction ID: 57b5440fc6d79c6f912cfb3faaadf4f41e131159ff8a10154ecdaf391bf6088c
Opcode Fuzzy Hash: 2667ca07a95f40ae6af8716d9e11d80935e87e4b4c45e78aa402cf8b11dc1f84
Instruction Fuzzy Hash: FA41E035A143888FEB21DBE6C844BADB7BAFF55344F180499D911EF791DA34C901CB21

Function 03864755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 0386488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 03864888
minkernel\ntdll\ldrredirect.c, xrefs: 03864899

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 2571d2288257ef72706a49468762e8566f7423fb4474351ec9f1d485283ca44c
Instruction ID: 8a6dfe90e6e347d851bc783bdb37bd0a4e5f5cd4e423ba2996bcb119bbede399
Opcode Fuzzy Hash: 2571d2288257ef72706a49468762e8566f7423fb4474351ec9f1d485283ca44c
Instruction Fuzzy Hash: 2341D532A047989FCB21DF9AD940A6EB7E9EF8A650F0905D9EC54DB311D731D810CB91

Function 038133A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context data, xrefs: 038529FE
Actx , xrefs: 038133AC
RtlCreateActivationContext, xrefs: 038529F9

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: f1c259e30a2b4443addf9163130882e1cfe91e87677b7da27374180236b82cf2
Instruction ID: a42cb8085e71f3b89acdc2faae68c1d2903f67288f6f3f08dabd5abd38ee5e8a
Opcode Fuzzy Hash: f1c259e30a2b4443addf9163130882e1cfe91e87677b7da27374180236b82cf2
Instruction Fuzzy Hash: AF3148362003059FDF26DF98D880F96B7A8EB48724F1944A9FD05EF241CB70E951C790

Function 0386B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

GlobalFlag, xrefs: 0386B68F
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0386B632
@, xrefs: 0386B670

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: ce6e4be1a80e6e43f46351f552141912bdc8f022fd776db1151e95a5262d35e9
Instruction ID: 5d58379a2dda23aa26aea5ade7218f6eb5d7d290248138f7563341571dd16281
Opcode Fuzzy Hash: ce6e4be1a80e6e43f46351f552141912bdc8f022fd776db1151e95a5262d35e9
Instruction Fuzzy Hash: F7313CB5A00219AFDF11EF95CC94AEEBBB8EF44748F1404A9E605EB250D7749E40CBA4

Function 03811607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrtls.c, xrefs: 03851A51
DLL "%wZ" has TLS information at %p, xrefs: 03851A40
LdrpInitializeTls, xrefs: 03851A47

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: e9ed3c73accf1ffbe9f254c8b799b75e82c5fdacf104cebdb7098a4f8d056ac6
Instruction ID: 6f7a7ac65ee0367fbf7b20a5041d421906317d72bac811b5c5a3418b8c82eefa
Opcode Fuzzy Hash: e9ed3c73accf1ffbe9f254c8b799b75e82c5fdacf104cebdb7098a4f8d056ac6
Instruction Fuzzy Hash: 1F31E775A20604EFEB10DBD8CC89F6A77ACFB45759F1401EAE605EB180D770AD24CBA0

Function 03821270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

BuildLabEx, xrefs: 0382130F
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0382127B
@, xrefs: 038212A5

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: 17abbdc730b3717273067100bb233b28ad336a99dabc549ed5966d2571867ed4
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 0B31AF76900228ABDB11DBD9CC48EAEBFBDEB85720F1044A5F914EB260D7349A45CB91

Function 038620DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 038620F3
LdrpInitializationFailure, xrefs: 038620FA
minkernel\ntdll\ldrinit.c, xrefs: 03862104

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: b5ae69dc5a1abbfb2a6d54e39e2a114b7179d623582ce4e5e6661b23d355dc87
Instruction ID: 6e54da8cd40602a05047882d5e1fad258d45cfdc931aac33a920f241cff1f2cf
Opcode Fuzzy Hash: b5ae69dc5a1abbfb2a6d54e39e2a114b7179d623582ce4e5e6661b23d355dc87
Instruction Fuzzy Hash: 26F0C8B56417486FE714E68CCC46F9977A8EB40B54F5404EDFA00BB282D6F0B550CA52

Function 037F03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 03844D8A

Strings

#%u, xrefs: 03844D82

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: a360d9ecb7c5a94bbfd85edd7b1ac48c0a7e6490bb6f59530f94421109c76863
Instruction ID: 7a896e4893c50091349e12b546952eaf517d09383507456f6d448bed64d01d53
Opcode Fuzzy Hash: a360d9ecb7c5a94bbfd85edd7b1ac48c0a7e6490bb6f59530f94421109c76863
Instruction Fuzzy Hash: 69715A75A006499FDB01DFA9C994FAEB7F8BF08304F1540A5E901EB351EA34ED41CB61

Function 037F52A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 037F55A3
@, xrefs: 037F5445

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 2e5d91e2b4dce20cb4f0104286c3f77338b999195da7ff62d9fa51c7c4e95e8d
Instruction ID: 8e3b6e2a1375fca257b83eafdf8e8b66b4265cc3f2bff7640b4e3d64763dada1
Opcode Fuzzy Hash: 2e5d91e2b4dce20cb4f0104286c3f77338b999195da7ff62d9fa51c7c4e95e8d
Instruction Fuzzy Hash: D7329A745083118FCB24CF58C484B3AB7E5BF8AB64F18496EEA959B790E734D840DB92

Function 038AA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 038AA551
`, xrefs: 038AA44B

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 78ba573fbbc162476c6e3bae3011f0f21b4a4b7e4ac69846dd9ca52cf11fed69
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: BFC1E031204B469BE728CFACC841B2BFBE5AFC4318F084AADF595CA690D779D505CB52

Function 0385E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 0385E75A
UEFI, xrefs: 0385E751

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 285a7e66f00151fc25acf3e7dac501f538294a3acdadf66dab54278ef47e7796
Instruction ID: 1c0db6f76e879cbba0c821f3457af52956b25ef30bab9780b6b331993445e577
Opcode Fuzzy Hash: 285a7e66f00151fc25acf3e7dac501f538294a3acdadf66dab54278ef47e7796
Instruction Fuzzy Hash: 48612B71E007589FDB24DFA8CD40BAEBBB9FB48704F5440ADE959EB251D731AA40CB90

Function 037FF720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

$, xrefs: 037FF860
$, xrefs: 037FF7F6

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: $$$
API String ID: 0-233714265
Opcode ID: 1d70d17192afef33ed746e9b79ba5eb84647c3ab9767ef33af9dc1b699b63fd4
Instruction ID: be5f60e4f8f50f6fa6f2e25494ef6d04a4ff4ce3b42a9c5502d4b830b61e2cf7
Opcode Fuzzy Hash: 1d70d17192afef33ed746e9b79ba5eb84647c3ab9767ef33af9dc1b699b63fd4
Instruction Fuzzy Hash: 9D61ED75A0074ADFDB20EFA8C584BADF7B5FF04304F0840AAD615AB780DB74A940EB90

Function 037EA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 037EA2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 037EA309

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: a760860f639ce4e1d345b73f3a49f1b004fe03090d396cee201086679d66ec4f
Instruction ID: 51e082cac6e39dfa3a66ffda594447c8ae5e20e242e0e3c6a00f795b385ed646
Opcode Fuzzy Hash: a760860f639ce4e1d345b73f3a49f1b004fe03090d396cee201086679d66ec4f
Instruction Fuzzy Hash: 2841BB34A08749DBDB21CFA9C840BAAB7B4FF89704F2844A9EC14DB791E735DA40CB50

Function 0381329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

.Local\, xrefs: 038132B5
@, xrefs: 0381330D

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 86a464d8f896e18ce7d64ee3a995a0d7f0c6d9460b4d5dc53ead406065116228
Instruction ID: 45ab0b4937c2d1cc11a7124063fc6e22012fd746355ddef2aa9955692fee7a66
Opcode Fuzzy Hash: 86a464d8f896e18ce7d64ee3a995a0d7f0c6d9460b4d5dc53ead406065116228
Instruction Fuzzy Hash: 4231BEBA5083049FC711DF68D880A6BBBECFBC4654F4809AEF995C7250DA70DE14CB96

Function 037EC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 037EC8C3, 037ECA40

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 18a984699047a28c465110a4d7ce897c7e8625616989e1771ae811400cec818c
Instruction ID: e68c9db44ea1502c78c27b95c533b87ccc6f1daeb94605563d90ad6080f448f2
Opcode Fuzzy Hash: 18a984699047a28c465110a4d7ce897c7e8625616989e1771ae811400cec818c
Instruction Fuzzy Hash: D9824A7AE002199FDB25CFA9C980BEDF7B5BF4D710F1881A9E859AB250D7309981CF50

Function 037E7370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c919a0564c31bed4409f035db22ed15528252cfb4c654755ad8c88d57c3ce531
Instruction ID: b8ed614a7fdd6123c30df78309f9661ef1473204a51947d8fb3c217790e9af8c
Opcode Fuzzy Hash: c919a0564c31bed4409f035db22ed15528252cfb4c654755ad8c88d57c3ce531
Instruction Fuzzy Hash: 63A16A75608782CFC324DF68C480A2ABBE9FF88304F1449AEE595DB350E730E945CB92

Function 0381F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7277f945b9a1cb84e1151064df477606d9f97a3e62c10771291e85ba264541
Instruction ID: bcae1218f08d69ad274b6f810447eacd23b3f92a6f6824f6861f255547da6644
Opcode Fuzzy Hash: df7277f945b9a1cb84e1151064df477606d9f97a3e62c10771291e85ba264541
Instruction Fuzzy Hash: D5414AB4D11288AFDB20DFA9C480AAEFBF8FB48300F5442AED559E7211D7349954CF60

Function 0381A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 038567C9

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: ddbb5a4cde537a97e0ac87c651bd8f204be6f7edf8ec61995c546b20eeba9ced
Instruction ID: ce375f9743357da615f45c92d265e4a1deb73206c425b0207cfa3df3f4262c1d
Opcode Fuzzy Hash: ddbb5a4cde537a97e0ac87c651bd8f204be6f7edf8ec61995c546b20eeba9ced
Instruction Fuzzy Hash: AB718F75E0120ADFDF28CFD8D5906ADBBB2BF48714F5891AAF805EB240E7319841CB50

Function 037E973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 037E97F3

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction ID: 655e7419af0cc1fa96680c39ee83410dbe19b35870277600fa2d81860b7b8d7b
Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction Fuzzy Hash: 9C617C76D00219ABDF21DFA9C840BEEFBB4FF89710F1545A9E910A72A0D7749940EB50

Function 0386F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 0386F867

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction ID: 235ea1bfe429c869b8d45b85742df0678d6635fbe0388f227508a49f69365854
Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction Fuzzy Hash: 6D51CE72604305AFE721DFA8D840F6BB7E8FB84754F0409A9BA90DB290D770ED04CB92

Function 037FE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 037FE6A4

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 1e76f313f152f1da9958030c7200468d28f68ee3c01373583224da4d83d0744e
Instruction ID: 17887357f53fe5d713a955b24757996a3afe919dc6a6b79c983167ef541cf54a
Opcode Fuzzy Hash: 1e76f313f152f1da9958030c7200468d28f68ee3c01373583224da4d83d0744e
Instruction Fuzzy Hash: F8418D765083019FD720DAB5C844B6FB7E8BF88714F44092DF684EB6A0EA74DA04C7A7

Function 0389B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 0389B28F

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: 7b05df774c9d810eb155b8b3a2ee59dd40a4f9d2fc78c3fd2018a053b2f92a2c
Instruction ID: a5545ee767c0b6e219a85198b396bf0f4995cdacc672863316dd74ddfacec6ad
Opcode Fuzzy Hash: 7b05df774c9d810eb155b8b3a2ee59dd40a4f9d2fc78c3fd2018a053b2f92a2c
Instruction Fuzzy Hash: 62419476900219EBEF22DAD5D840BEEF7F9AF88650F0901A7E911EB250D6B0DD40D7A0

Function 0385C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0385C77F

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: d61eb42cc494031895b75b791afa17f9b066e153a0f792a5ce33036f3621338c
Instruction ID: 8a1b999d7a19929e4e8d3e70c18623ee0f896925bef572ca86c1000746c0ce98
Opcode Fuzzy Hash: d61eb42cc494031895b75b791afa17f9b066e153a0f792a5ce33036f3621338c
Instruction Fuzzy Hash: 2F4121B5D0172CAADB21DA94CC84FDEB77CAB45714F0045E5FA08EB140DB709E898FA5

Function 038697A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 03869870

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 05349d2c74084a5bc9deb73134324169849cc257061bb8be3e557dd9fee5277f
Instruction ID: 63fb14cec302616a76848a698c1f51f513b2bfc1123e44cad3fcd9c3063bcd42
Opcode Fuzzy Hash: 05349d2c74084a5bc9deb73134324169849cc257061bb8be3e557dd9fee5277f
Instruction Fuzzy Hash: 9B3193756103019FDB24DFA9E860B26B7E9EB49310F5890BAE545DF2C1EB318C84C790

Function 0388705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

kLsE, xrefs: 038870A4

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: kLsE
API String ID: 0-3058123920
Opcode ID: 780833d752e31e993c245d18634e7181021c39efcddde61b42e44e6e6bde174f
Instruction ID: 7fe7e3f5f760e9f7e38b7a92da0c97124dcfdbeeb84cc7de8468877545de968f
Opcode Fuzzy Hash: 780833d752e31e993c245d18634e7181021c39efcddde61b42e44e6e6bde174f
Instruction Fuzzy Hash: 23417C3650274947E721FBE8E884B697BA4EB40724F7801D9FC50CF1C9DBB44495C791

Function 037E5096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 037E50BF

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: b907d71646690f314382fb73c5d4d1596b511a986f23124db5235e8d6827e93b
Instruction ID: 2e341544fefaa8163e223c4fa87aa3749c1fb4596eaff57bbc2b9315021d4fa4
Opcode Fuzzy Hash: b907d71646690f314382fb73c5d4d1596b511a986f23124db5235e8d6827e93b
Instruction Fuzzy Hash: 0611933430560E8BEB24C92D8850676B299EB8F23DF3C812AF552CB390DA71DC419381

Function 0383739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13480f9f4a406bb847e003194413bcd67e866be602dfdbd30ef1a643b52ffda
Instruction ID: e3439d57a6b759e2f4c1bad0a9e8675f9c1e8397e047bc8768cc472070b359be
Opcode Fuzzy Hash: f13480f9f4a406bb847e003194413bcd67e866be602dfdbd30ef1a643b52ffda
Instruction Fuzzy Hash: 124290B5A006168FDB18CF99C4906AEF7B6FF8A314B1885ADE552EB340D734E941CBD0

Function 0380B2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60edfd3f41db25f8aca964dcc91a4a87111b21ddd40293995b47ed5594d75e81
Instruction ID: 7bf8c6ca3c27321a9309be6c8c4e3d737bf7f2ea6b80b764321a7979408dc071
Opcode Fuzzy Hash: 60edfd3f41db25f8aca964dcc91a4a87111b21ddd40293995b47ed5594d75e81
Instruction Fuzzy Hash: 7A329C76E002199BCF15DFA8CC90BAEBBB5FF84714F1800A9E805EB391E7359951CB91

Function 0388A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8856e7d84da683ffb00a04c361e8aa26d1f41d07b9f037d1304595d0831d34c4
Instruction ID: 541fde0f1df95db1323cc38aa11c406eab27b330f1791e34aa30ea54ffe9d98b
Opcode Fuzzy Hash: 8856e7d84da683ffb00a04c361e8aa26d1f41d07b9f037d1304595d0831d34c4
Instruction Fuzzy Hash: 9D22AD742046558BDB28EFA9C094772B7F1AF44304F0884DBD896CF2CAE739E592DB61

Function 038A16CC Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3472819360ab74f83705a62e0d791b92d206549290a717be2f07b1a7af9e9f9
Instruction ID: bbe0a41320577cbeac5f82f7583800cfec37be4a19ce640fa2625ef18195af8a
Opcode Fuzzy Hash: a3472819360ab74f83705a62e0d791b92d206549290a717be2f07b1a7af9e9f9
Instruction Fuzzy Hash: 1D22B135A006168FEB19CF9CC484AAAF7F6BF88314F1845ADD556DB344EB34E942CB90

Function 037D8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650ce99d0409f06ddcfcbdf171cf47ee7fdcd661e84f75af967ddfaf16effb50
Instruction ID: ca4fe15fd59dc1e5133e1e6ca6c60151a1ecf316abe1afa71aa8edaa846f4421
Opcode Fuzzy Hash: 650ce99d0409f06ddcfcbdf171cf47ee7fdcd661e84f75af967ddfaf16effb50
Instruction Fuzzy Hash: 8FD1C2B5A0031AABCF15DFA4C880ABAB7B5FF45314F0846ADE916DB281E734D941CB91

Function 037ED7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b95ea6c21bb681bdb001267b6c9249442cc17e7113fbe4fa586dd4ffae71e9
Instruction ID: 50db2b6a7aeaf09897cf50ff68ae57e792a9e43102227235626f016e6f360437
Opcode Fuzzy Hash: 05b95ea6c21bb681bdb001267b6c9249442cc17e7113fbe4fa586dd4ffae71e9
Instruction Fuzzy Hash: 70C1B571E002199FDB24CF9AC844BAEF7B6FF48314F1882A9D915EB680D774E941CB80

Function 038090DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c20bb1acc3e995331f52eb7d22075cd083f825346e66badff0d2fc64726481c
Instruction ID: 10adb718deddb0211cfc723db89ab69b43044a51831e68f5a192e5c97304325e
Opcode Fuzzy Hash: 3c20bb1acc3e995331f52eb7d22075cd083f825346e66badff0d2fc64726481c
Instruction Fuzzy Hash: DEA16D75900619AFEB12EFA4CC85FAE7BB9AF49750F050094FA10EF2A1D7759C50CBA0

Function 037E83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b65b7ee91113972819d98b95546579db8723218fbac257cdf0691dbbcd2395
Instruction ID: df65f7a4a2d2cbd19025e46ddde16c1525fe9dee97ea717f4c8771d67d35ee08
Opcode Fuzzy Hash: c4b65b7ee91113972819d98b95546579db8723218fbac257cdf0691dbbcd2395
Instruction Fuzzy Hash: 2FC157742083449FD764CF58C484BAAB7F4BF88704F4849ADE999CB690DB74E948CF92

Function 03820185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f5bcfa603a717dcc324f76253e93b5c5490619363b3db8092492e5db3853a6
Instruction ID: 6c2e75d779b3ccc75629a04b0da1d46beb25ca8631fb47a0c1ea3c423a6084be
Opcode Fuzzy Hash: 73f5bcfa603a717dcc324f76253e93b5c5490619363b3db8092492e5db3853a6
Instruction Fuzzy Hash: 90A1C2B0A01729DFDB24DFA9C890BAABBF5FF44318F0441A9E905DB281DB34E955CB40

Function 037FE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f352e050db21bbb7115a840ff83e558413bbdc89fe3d78dde82daa8a29a77b
Instruction ID: fd893d796a5a040b3a060f613496c987f1bdd778d1e61a744b1d32eae93ba266
Opcode Fuzzy Hash: 66f352e050db21bbb7115a840ff83e558413bbdc89fe3d78dde82daa8a29a77b
Instruction Fuzzy Hash: A6911135A00A19CFDB24DBA8C884B7EB7A2FF84710F1940A9EA05DBBA1E734D941C751

Function 037E1131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159967db0d2bf3fe582e22544b83d10629ba09e84d0ebb929a2b10409421a8e9
Instruction ID: 01f5dfc25a5725d4f104b517d566cd64997e568dbe51801e909a60d04d49e9af
Opcode Fuzzy Hash: 159967db0d2bf3fe582e22544b83d10629ba09e84d0ebb929a2b10409421a8e9
Instruction Fuzzy Hash: F9B11275A093408FD354CF68C880A5AFBE1BF89304F5849AEF999CB352D371E945CB82

Function 0380D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: 913a134dff3697c791ea60d2c43a2bb2c0db8a91b3b8012a840b346382fd74bc
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: C9815C76E002198BDF24CFDCC9807ADF7B2FF84204F1981AAD815EB684DA35A945CB91

Function 0381E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004f7213d4d6108f7cfa8167b0d8d55184056f163c77a38f8ee9f7e075838dde
Instruction ID: 76e87414be3b6fe248f0326a99689f5330f1e8b661c0c19879674722cc9a4781
Opcode Fuzzy Hash: 004f7213d4d6108f7cfa8167b0d8d55184056f163c77a38f8ee9f7e075838dde
Instruction Fuzzy Hash: 64815A75A00609EFDB25CFE9C880AEAFBB9FF88314F144469E956E7250D730AC55CB60

Function 037FC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5483f258c72a80959730907512a53ed5cf1ae3c181d85dd6bc3b1eab0db841f4
Instruction ID: fb6cc46fb4950f33374ef9cd122c810efefacca255351002f7d410f51cc0e787
Opcode Fuzzy Hash: 5483f258c72a80959730907512a53ed5cf1ae3c181d85dd6bc3b1eab0db841f4
Instruction Fuzzy Hash: 1271B0B5C0562A9FCB26CF98C8907BEFBB4FF48710F14419AE942AB750D7359800CBA0

Function 037F260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7becb6f7f8dfa0aa11a93c37c201f2f93166939efe4372b22dce488020a809d9
Instruction ID: 24b81f815976ffcff83412c493b859d48d94ec2a69348a6309eb1e1f1e68ae03
Opcode Fuzzy Hash: 7becb6f7f8dfa0aa11a93c37c201f2f93166939efe4372b22dce488020a809d9
Instruction Fuzzy Hash: 4E71F3396042419FD311DF68C484B2AB7E5FF88310F0889AAEA94CB756EB34D845CBA1

Function 0386035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 662c0ca9107681cf37dab39496ef73e9ba6b4a816d3e3577bcf38ed2f6086d8a
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 22717FB5A00619EFDB10DFA9C984EDEBBB8FF48304F144569E505EB290DB34EA01CB54

Function 038762A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e055c67e4e898841d22316bc89f130c2133aaf85e27ccec64209b65b476b307e
Instruction ID: 19a0ddc49969e642ab5703eb8861eef659bca5f8d5d2c9da73e96fea04efaf46
Opcode Fuzzy Hash: e055c67e4e898841d22316bc89f130c2133aaf85e27ccec64209b65b476b307e
Instruction Fuzzy Hash: 3871E236200B01AFDB31DF98C844F66B7E6FF84764F1949A8E256CB2A0E775E944CB50

Function 038A132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4be1c425e94f46a8544cb37c7df792d1b68eb25099082e2055c6ffe6a7d3e2
Instruction ID: 2c7d06c9e93ed3af5b93d3f4e84f43a3ae1ffd3c36d6bed0efca7f9368dcb99a
Opcode Fuzzy Hash: 5f4be1c425e94f46a8544cb37c7df792d1b68eb25099082e2055c6ffe6a7d3e2
Instruction Fuzzy Hash: CC818075A00609DFDB09CFA8C484AAEB7F1FF88310F1981A9D859EB345D734EA51CB90

Function 038A903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47b140b34376adc544cb57a9af7efe1482c01caba7a95aae194b00661f512b50
Instruction ID: a5cc0c74b124ad5ed5acc91df8ab969e9ccd1cb5122a37176b80f15e12c64096
Opcode Fuzzy Hash: 47b140b34376adc544cb57a9af7efe1482c01caba7a95aae194b00661f512b50
Instruction Fuzzy Hash: 0461D075204B19AFE715CFACC884BABBBA8FF84350F044699F968CB240DB30E514CB91

Function 037E7703 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f313067a5bf7c8aa3d24f07047930650394c50364b43cb921ff736f810ac1e
Instruction ID: e9e6d524c578fd3ea2a55793a897470c86ac60f8520341f2382c0a7a770b01f7
Opcode Fuzzy Hash: b4f313067a5bf7c8aa3d24f07047930650394c50364b43cb921ff736f810ac1e
Instruction Fuzzy Hash: CB613375A01646EFDB1CDFA8C480AADFBB5FF48300F1885AED519A7340DB30A955DB90

Function 038A92A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 529472f894425f94c1bdcc294a679f7595d38106824b6618d9aa71288f035dfb
Instruction ID: 056c09a908a393a0fa6201250a702d6f3a94c58cbeddf9a1360c2929d5b3befe
Opcode Fuzzy Hash: 529472f894425f94c1bdcc294a679f7595d38106824b6618d9aa71288f035dfb
Instruction Fuzzy Hash: E061D435209B498BE315CFECC494B6AB7E0BF80718F1844EDE895CB281DB75E905C791

Function 037DB2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e87a6e70fee358b9910a86817a317397d4a482a378ff7b78329d6c81be171a
Instruction ID: b785596f7252a112405daa486be44014eed9bed27a0397c0c30bad1f5710f0d1
Opcode Fuzzy Hash: 43e87a6e70fee358b9910a86817a317397d4a482a378ff7b78329d6c81be171a
Instruction Fuzzy Hash: 3241F6752407009FCB26EF69D880B2AB7B9EF48760F1A44A9E659DB790D7B0DC10DB90

Function 037F3740 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc562c6768194115ef9d5a31e5046c27f13b8e0eda047aef0e6fb9495757afaa
Instruction ID: 70d2d709e4d1aa6160116eba54f8b3d14609f66d191ede9dcd5b6edca41b9eb6
Opcode Fuzzy Hash: dc562c6768194115ef9d5a31e5046c27f13b8e0eda047aef0e6fb9495757afaa
Instruction Fuzzy Hash: 9F510079E01616AFE711CF6CC8806A9B7B0FF04710F1882A9E955DB741E738E991DBE0

Function 037E7152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd9c3a6fcd2c0090b232a9b49256e38cf23cf05e2fc1b336828f6f639e7d028
Instruction ID: ebfcc51093933e4405eb1f747c49ec974eb0f8c6f86a32f37e94aef22536cd01
Opcode Fuzzy Hash: 1fd9c3a6fcd2c0090b232a9b49256e38cf23cf05e2fc1b336828f6f639e7d028
Instruction Fuzzy Hash: 64512539A0070AEFEB09DFA8C948BBDB7B8FF48315F1440A9E512D7690DB749951DB80

Function 038AD26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: 4cf507b24495589b8a8a120a370298f54927af75e9c4e4a8dabf59aff375b08b
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: 9B517A726087419FE700CFACC890B5AB7E5FBC8244F08896DF994CB240D734E949CB52

Function 037E51ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b692d080d3e70f98bc73e3d16097105207e1fe394fe81a8ad596084e888f700
Instruction ID: aa32b2d8debde78def86bcdc5b1961aa78662f1d711350da5589f877539ea702
Opcode Fuzzy Hash: 1b692d080d3e70f98bc73e3d16097105207e1fe394fe81a8ad596084e888f700
Instruction Fuzzy Hash: 76516CB5A0121DDFEF21DBA8C944BAEB3B8BB0E72CF180099D911EB251D7B5D940CB51

Function 0381F71F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 942013026f497c2a948ac47046db79a00ed37a73c75d9d82fe72dfecbb512e15
Instruction ID: 5039902088c96f295b3658fdc3106aee27409a9a8b2cb80a7f7e8347de02c918
Opcode Fuzzy Hash: 942013026f497c2a948ac47046db79a00ed37a73c75d9d82fe72dfecbb512e15
Instruction Fuzzy Hash: 5D417776D0426DABCB11DBE88844AAFB7BCAF04754F1505E6EA00FB601D634DD00C7E5

Function 038101F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c7255f604408c59d274ce2bf62cbcd2a9c875b2c5c3f101e3a2b0f38afffe6
Instruction ID: 01219165615826f1e1da86081ba9f5ddfd55e49280177ced01eb7186d7b712d5
Opcode Fuzzy Hash: d1c7255f604408c59d274ce2bf62cbcd2a9c875b2c5c3f101e3a2b0f38afffe6
Instruction Fuzzy Hash: D7419DB59002199BCB15DFE8C840AEDF7B8BF88714F18819AE819FB340D7359D91CBA5

Function 03822750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: eb7bcc7b11de6fac45cda3b957ba829bfa70004c474598d48079f2ade5d8babf
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 28512975A006199FCB19CF98C580AADF7B6FF84714F2882E9E815EB350D734AA41CB90

Function 037E6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fcec0a13e50360deda52a0778419f05b2b07a2f582ee387774e5aa41f0cc42e
Instruction ID: 6c84eb26e4574b3d1ae95f7109291bf67f9d3f3a1b80dd980351d7f980ba83f9
Opcode Fuzzy Hash: 1fcec0a13e50360deda52a0778419f05b2b07a2f582ee387774e5aa41f0cc42e
Instruction Fuzzy Hash: 6751F67490021ADFDB25DB68CC04BA9BBB9EF19318F1882E9D525DB6D1E7389981CF40

Function 037DB136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aad52debca498b63d414451f9356e37dfed9e51209a2b97464265bf88d3e743
Instruction ID: d0fd326a281f554174da44fdc6d328ec146076f2318727bc56feb4c85dad0776
Opcode Fuzzy Hash: 2aad52debca498b63d414451f9356e37dfed9e51209a2b97464265bf88d3e743
Instruction Fuzzy Hash: EE41AEB6641705EFDB21EFA9C880B6ABBF8EF00794F0544A9E655DB250D770E850CB90

Function 038A866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: e307036b79569d06f409e193608675015e10aeb0fc713da2bf1a4220a539774d
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: C0418075B00619ABFB14DBDDC884AAFFBBAAF88600F1840A9E804E7341DA74DD01C760

Function 0380D6E0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa87c9abc7b968148cb6fd8109a714cae9d05b88a2b50f6afdea282e954799a5
Instruction ID: 7f9c8ecb0f7f1ad15297617e6670275a03b3d87d36c8d9aa7b609347d18b60c2
Opcode Fuzzy Hash: aa87c9abc7b968148cb6fd8109a714cae9d05b88a2b50f6afdea282e954799a5
Instruction Fuzzy Hash: D841E4755057249FD320FFA9CC90E6AB7A8EB49324F0005ADE915DB690CB30E821CB92

Function 037DA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 544a34a83331af782bd9f104266c3810cec70b0f73a1ca98e324e47f71ec7407
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 20412771A00219DBDB62DEE594447BAF771FB81764F1980AAE845DB380E632CD80DBD0

Function 03810710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: f46cbb0e36d0c2299f844ac12a2417f51bd25f81637f58ccd112b41c5fa0387e
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: EF412CB5A04705EFCB24CF98C980AAAB7F8FF08704B1049ADE556DB690D370EA94CF50

Function 037E262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b0574dee882637e58867c5f865c826936992aa2fcb3788f2fd717f5ceada60
Instruction ID: 23c6b9bfc85cd5471742c6b811510b1ac60dec2210189296152209160f1e116c
Opcode Fuzzy Hash: 92b0574dee882637e58867c5f865c826936992aa2fcb3788f2fd717f5ceada60
Instruction Fuzzy Hash: D7419075901708CFCB21FF68C940B69B7B9FF49310F148AEDC6169B6A2EB309941DB51

Function 037F02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: f5009a383bbb806e65b200afe264969af870d5e03b00f6d712bcff98e8b10e4e
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: B3310A35A04344AFDB21CBA8CC44B9ABBE9FF09350F0885A9E855DB352C674D884CBA4

Function 03809274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615f10de0bc76ed3d003ad8424a1be477b40a125da033c65440eb367e0a41672
Instruction ID: 1a564563da2cc71c64712637fb51156f15f149ab359c6faf90e82dfaa6ada1a6
Opcode Fuzzy Hash: 615f10de0bc76ed3d003ad8424a1be477b40a125da033c65440eb367e0a41672
Instruction Fuzzy Hash: 92318F75A00328AFDB61DBA8CC40B9ABBB9AF85714F1601D9E54CEB291DB309D84CF51

Function 037E5702 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94dd24bec34ec48547c4ed9c8c2ed6e41f813b1fbfdccda0452d44a0c290a7a7
Instruction ID: 5fe7768f1a96bac46a494a3269126d34e7ada6078ef15292354eb271301c9afc
Opcode Fuzzy Hash: 94dd24bec34ec48547c4ed9c8c2ed6e41f813b1fbfdccda0452d44a0c290a7a7
Instruction Fuzzy Hash: BD31A035201B0AEFCB55EB64CA84A9AF769FF49358F0450A9E9018BA50D770E830EBD1

Function 037E4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58019d64f0add75df7d16fbe781d424e2377432a1ea1b65b15805ae7355504ab
Instruction ID: e17f4762ca6815a106835446f0c8e1791d9cfe95f186665ed7ac2786cb67c135
Opcode Fuzzy Hash: 58019d64f0add75df7d16fbe781d424e2377432a1ea1b65b15805ae7355504ab
Instruction Fuzzy Hash: 4C41AD75200B49DFC722CF69C895BD7BBE9AF49314F0544A9E669CB690C774E840CB50

Function 038050E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: ba80397ed7623f24714c1370b860b4830543df1c58c3f2d7a3bda79009cfa795
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: 1D31C33160C3499BD762DA98CC04766B699AB86754F0885AAF495CB3D0D274C841CBB2

Function 038A61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b5debddc829583cfac0508dcd524e17fac786ab9f6e76444b8c3fb32f8767bc
Instruction ID: b6d83056d77197aa344575943e07539fd7c8fc5eb30daef0867d3ba06f344ada
Opcode Fuzzy Hash: 0b5debddc829583cfac0508dcd524e17fac786ab9f6e76444b8c3fb32f8767bc
Instruction Fuzzy Hash: 3431B279A00659ABEB15DFECC840BAEB7B5FB44740F4941A8E900EB244E774AD40CBA4

Function 037D9730 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ae972009f742585e43ac47a2d43b7b6eb0301b6504aee9c01ed360d9c9382f0
Instruction ID: d81a92418203e0a85e83e2ab39d5ca69c4e63b7bcd5d21ccf1ee1c079efe9f33
Opcode Fuzzy Hash: 7ae972009f742585e43ac47a2d43b7b6eb0301b6504aee9c01ed360d9c9382f0
Instruction Fuzzy Hash: 3521D07AA00715AFC322DF98C804B1ABBB5FB86B60F150469E765DB341D774EC01CB90

Function 038A60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9355c783c8dff820303423055b5511e58a7fbe1a9b600a5ac1555b3d3a55ef2
Instruction ID: 98f93ad6e4ec58f68ad1b1cb90264d2961f8b69c1c8625083d8f405c883e8357
Opcode Fuzzy Hash: c9355c783c8dff820303423055b5511e58a7fbe1a9b600a5ac1555b3d3a55ef2
Instruction Fuzzy Hash: 4E31B179600B05AFEB12DBEDC850B6EBBA9AF44754F0800E9E555EB346EA70DD018B90

Function 037E07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0d66cdeda07c9a7394835b25ca75066fe0d04fc02c4a10545abb16387310a6
Instruction ID: 07a74c31d26bfd4f4b3c70b2e95276b603f4f534ab996838c0eeaded721cabe2
Opcode Fuzzy Hash: 4a0d66cdeda07c9a7394835b25ca75066fe0d04fc02c4a10545abb16387310a6
Instruction Fuzzy Hash: F0314536A04716DFC712DE66C880E6FBBA5AFC8250F054568FC55EB300DA70DC01A7E1

Function 037DD6AA Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction ID: b621d75ade5f1cb11c40cd32494e2b69caae072d48147015ddf7c38e20b457d1
Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction Fuzzy Hash: 63319136A01204AFDB31DE98C984B6AB7B9EF84760F1D84ACED55DB250D374DD40CB90

Function 037E57C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce45212953f93f3b14d063aff789b085bbf36c1ed80a992a492de385dc994aa
Instruction ID: 19adaef84fc6adee06686d9bc88b2641f65256612941349d50635c1527e6fa8e
Opcode Fuzzy Hash: bce45212953f93f3b14d063aff789b085bbf36c1ed80a992a492de385dc994aa
Instruction Fuzzy Hash: 5531A139615A0AFFDB55DB64CE40EAABBA5FF89314F4450A9E9018BF50D730E830DB81

Function 0381A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 5ba5851a3787ec84a1b8b04ba66ec98478e90b4f3a71f895acad2a976e9aba86
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 7E312872B01B00AFD764CFA9DD40B57B7FCBB08A50F0849ADA99AC3650F634E900CB60

Function 0380438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 034eeef453e8033fb23463a808ec1c6194efe0049a6b7907262b279eb5d39c4f
Instruction ID: f74e1ed54fc65e9ef7c1cd71d4009066a52afc182d85dd58808463c5470bce08
Opcode Fuzzy Hash: 034eeef453e8033fb23463a808ec1c6194efe0049a6b7907262b279eb5d39c4f
Instruction Fuzzy Hash: 4A31D331B417499FCB50EFE9CD80A6EB7F9AF80308F0044A9D645D7690E730DA41CB51

Function 037E92C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: 3dff02cbe3de30b41c9f6c5c5c1269c79174860a3800ceb6a21e9ae1d7695417
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: A13188B66083099FCB01DF58D84095ABBE9EF89310F0409A9F951DB3A1D734DC04CBA2

Function 0389C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: eb4f7422607fbe03697e56222793fc1cf4d59dd4f05614396a402b8e8df82782
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 61210B3E700651A6DF14EBD98800ABEFBB4EF84710F44845BF956CB691E636DA50C3B1

Function 037DC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b25171f353b2ff59465ff9a6decad219744cd25f771019bad2cf7e5c06c689f
Instruction ID: 0a1b3defa4ac61b44fae006cce042be2714b22ac163757306a9f55fb1cf0458f
Opcode Fuzzy Hash: 5b25171f353b2ff59465ff9a6decad219744cd25f771019bad2cf7e5c06c689f
Instruction Fuzzy Hash: 8D3108B95003108BCB21EF68CC44BA9B7B4AF46314F5885E9D945DF382EB34D98ACBD0

Function 03814588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 20b81b39f8b64c6937acc73660e94acfe5823b5e252b946ce125cde7e1b6adcc
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: F3217435A00708EFDB15CF99C980A8EBBB9FF48758F1080A9ED16DF241D671DA55CB50

Function 037DE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: ad6e8942a14170473c5abdab1cc7077691c079e99a5e50a667b2d85e5c9c74e5
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 86317A35600604EFEB22CFA8C984F6AB7F9EF45354F1445A9E952DB690E730EE02CB50

Function 0385E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11d32d90a3ab2956462d4bcda85046c53c36138f4e210976063fdf2509aab51
Instruction ID: 2b5318743e34d5466739d4741b842f92955b830d8eb4c61c44f116ed291e497f
Opcode Fuzzy Hash: a11d32d90a3ab2956462d4bcda85046c53c36138f4e210976063fdf2509aab51
Instruction Fuzzy Hash: 4C316A79A012099FCB18CF98C8809EEB7F5EF88354B15459AF849DB390E731BA51CB91

Function 037E3616 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18aabec55ca49e7805a0c9fe225883edf3762b8c8fa96343c0ccfa8f3c751ae3
Instruction ID: 45b363a0f89efb47cdccbeb8c9aeeff10dacb1a0f5e51aea487d39d0a29492e7
Opcode Fuzzy Hash: 18aabec55ca49e7805a0c9fe225883edf3762b8c8fa96343c0ccfa8f3c751ae3
Instruction Fuzzy Hash: 7521E3392057549FEB61DF68C988B2ABBA4BB88B14F490999E9414B751DB70EC04CF81

Function 0380F32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: 96b32ea4f5cd1cd863c1bab665722450c750b7fe18fd82e3f5586c2419430a25
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: E721CF722013049FC729CF65C841B66BBF9EF85364F1681ADE60ACB390EB70E801CB94

Function 038606F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3efd9c8b7fbe3e0d18fd44ca1ecf62e463426f7fcefabd5f4426cb004cf7c90
Instruction ID: 0c258c85a06f98bff72faee75b4b9202da8e55cc27a0cc1e05f674206d796cdf
Opcode Fuzzy Hash: a3efd9c8b7fbe3e0d18fd44ca1ecf62e463426f7fcefabd5f4426cb004cf7c90
Instruction Fuzzy Hash: E821BF75A00629ABCF14DF99C881ABEB7F8FF48740B5500A9E541EB240D778AD51CBA4

Function 0386019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69afff061bd77e03ab7f47e88fefb81a37ca05b789f3e510dd2f645be1780e22
Instruction ID: f85aa064197258fdb428120d5c2d485163de6691a31a479c3016e08c73503451
Opcode Fuzzy Hash: 69afff061bd77e03ab7f47e88fefb81a37ca05b789f3e510dd2f645be1780e22
Instruction Fuzzy Hash: 4C21AEB5600644AFD716DBA8D844F6AB7B8FF48740F1400A9F945DB791D738ED40CB68

Function 03819660 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58696ca521d0a7457af46bd777ff4bfd86ff5701645fad817142eb246c4b984f
Instruction ID: 58764087b3e053f46ef336d26faf56c79f96c1ea95df375cbbf8ef6449014a95
Opcode Fuzzy Hash: 58696ca521d0a7457af46bd777ff4bfd86ff5701645fad817142eb246c4b984f
Instruction Fuzzy Hash: E521F93112470DDFCF31EAA5CC24B2677ADAB44224F1846D9F953CA6A4E731E861CBA1

Function 03860283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4672f6e2af4a67a4e5940fc00ac8e12b839c696eabc87cc29e6d00b490194fd6
Instruction ID: a33b54625e8fcf20a2a20bd5f9570848fb6df8b4a2bd5b17f83871b1771f3414
Opcode Fuzzy Hash: 4672f6e2af4a67a4e5940fc00ac8e12b839c696eabc87cc29e6d00b490194fd6
Instruction Fuzzy Hash: BB21AFB29083459FD712EFA9C948B5BF7ECBFC1244F0804A6B980CB291D734D904C6A6

Function 0381A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a389833c447a0888ca06bf3041eafedb06d4c1b73ffdc9c6b374c5691b12d59b
Instruction ID: 4945a5dc1c8700eda7fde0b664d594d036a5625b9f5eb9f80dce27191840f1fa
Opcode Fuzzy Hash: a389833c447a0888ca06bf3041eafedb06d4c1b73ffdc9c6b374c5691b12d59b
Instruction Fuzzy Hash: 4321BE39241B019FCB29DF69CC00B46B7F9FF48708F1484A8A919CB761E335E852CB94

Function 037DB765 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4c7985e19b10e298ba202826096338aa5cc56617dde27446cf02331a968edb05
Instruction ID: d81231287c025af41918b111c8ec628fb7546ebb8f6a9b32a210009cae1aeb01
Opcode Fuzzy Hash: 4c7985e19b10e298ba202826096338aa5cc56617dde27446cf02331a968edb05
Instruction Fuzzy Hash: 0B216676201B00DFCB22EF68C940F59B7F5FF08B18F1549ACE1168B6A1D734A850DB84

Function 03810124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: f6c85493718a675f5473dc2840b1ad2714a9ac1aaafab461a5834edfd8826a63
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: BB11DDB6600708AFD722DB88CD41F9ABBBCEB84754F1400A9E604CF180D675EE94CB65

Function 037E8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5837155b654e0a07b79d91231fd5dae0fc52eb41281e969a1aa12dc680bb136
Instruction ID: aa014befe0f055e0be8c370948807e13797141c1c6682bfbff1974e6c5b9f73f
Opcode Fuzzy Hash: d5837155b654e0a07b79d91231fd5dae0fc52eb41281e969a1aa12dc680bb136
Instruction Fuzzy Hash: 56118F36701625AFCB11CF89C580A6AB7E9AF4EB54B1C80AEED08DF205D6B2D901D791

Function 037E3720 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6968132c4a76ffe22fbedf333d91915e1d7cdedb8ba0557dfc6acb4290b3f3e7
Instruction ID: 5341982e76e755b8b5a06d0d3febd47c9a4b44712c2f3aad8cb36943f1b86c66
Opcode Fuzzy Hash: 6968132c4a76ffe22fbedf333d91915e1d7cdedb8ba0557dfc6acb4290b3f3e7
Instruction Fuzzy Hash: 0221C579A012098BF715DF6DC0887EEB7A4EB8C328F29805CD811572D0CBB89945DB54

Function 037E80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ef5664e3ab884242b5cebb23b0d537e6b2eb4b303e9419e68bf72b7b51b5e9
Instruction ID: 6a1267081f9988e288c44475cb3f79b2b33886febed5c8b0d8c2cf9172982fa1
Opcode Fuzzy Hash: b7ef5664e3ab884242b5cebb23b0d537e6b2eb4b303e9419e68bf72b7b51b5e9
Instruction Fuzzy Hash: F6218175A40205EFCB14CF58C581A6EBBF6FB89718F24416DD105AB310D771AD06CBD1

Function 0381674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6604038d5bfa52354169f21227924c7a405906e746893f7c472c9992ec4637
Instruction ID: 11e3eeaababd3390eb6d0663c9c20f21850eef62986da210ea199891fa0ee7c4
Opcode Fuzzy Hash: 3d6604038d5bfa52354169f21227924c7a405906e746893f7c472c9992ec4637
Instruction Fuzzy Hash: ED218E75610B00EFC720CFA9C840F66B3F8FF44254F4489ADE9AAC7250EB70A860CB60

Function 037D9240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e4491a2a41bff53cdb1dabde305bb536975b28b4e02b1a2de3e6e014987dc6
Instruction ID: 1f041903deb5d0eb471f6597a7502847eb573553fc7363cff0fce5806a5fa002
Opcode Fuzzy Hash: 23e4491a2a41bff53cdb1dabde305bb536975b28b4e02b1a2de3e6e014987dc6
Instruction Fuzzy Hash: 8911347E052A04AAD721EF91E801A3277F8EB5AB80F5040A5E900CB394E734DC12CB65

Function 038166B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce90dd859c81cc78166e6337882f5aec61a10875ae52adfb75f634ea9c51ddae
Instruction ID: 6cf84fd8898c9a598a985447b0883d7be371516e30a754ac4303bf29001170b4
Opcode Fuzzy Hash: ce90dd859c81cc78166e6337882f5aec61a10875ae52adfb75f634ea9c51ddae
Instruction Fuzzy Hash: D4118F7BA016099FCB25DF99C580A5ABBECAB84650B0586F9DD55DB310E630DD10CB90

Function 038027ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8df7e948a6046394ee584d19ab5cca88cc307edd8216123b1fc1d7fc910b87c
Instruction ID: 18b980cb8b337c68c246f377a662abb08a0c30fb329d356fb84c738edc120d45
Opcode Fuzzy Hash: d8df7e948a6046394ee584d19ab5cca88cc307edd8216123b1fc1d7fc910b87c
Instruction Fuzzy Hash: 1E01DB796456486FE31AD2EDDC8CF27679CEF44359F0944E5F900DF690D958DC00C261

Function 0380B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b64fa2db278ee086425df19b61050f2a384c1f8e355cc8f25fc7102eb891c01c
Instruction ID: 871ac943acaf328eea6309d761803c9db4b04cc2c008518aac641751d2bd77fc
Opcode Fuzzy Hash: b64fa2db278ee086425df19b61050f2a384c1f8e355cc8f25fc7102eb891c01c
Instruction Fuzzy Hash: 0601F976B043446BD761EBEE9C80F6BBBE8DF84214F0400A9E605D7281E774ED00C622

Function 0389D6F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction ID: 81a51e93111e53205e48e2de7962e4d7a6a0fdf20050acd8ae3bb14c4bd9ac8c
Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction Fuzzy Hash: 64015E79700249BBAF04DEE6CD44DAFBBBDEF85A44F09009AB905D7200E730EA05C761

Function 037E4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3123dd5b148db05c3c00341a1883c54c80140acbc4a2d65f4f69a5e74726c727
Instruction ID: 99397a70788f351649c7a3b682ccf1d9c51d710b05d5607a2aa3f328f7748cd0
Opcode Fuzzy Hash: 3123dd5b148db05c3c00341a1883c54c80140acbc4a2d65f4f69a5e74726c727
Instruction Fuzzy Hash: AB11CE76244744AFCB25CF5BD844F56BBB8EB8AB68F184119F9148B350C370E840EFA0

Function 03816620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85825d5fee0b9f68555c52d3b72702541e1751fe0fe9e5c46f59d130b7de5733
Instruction ID: b11143b40b83babe2ec066ae6955b070bba082143c9a645653c68f75a7fd5ceb
Opcode Fuzzy Hash: 85825d5fee0b9f68555c52d3b72702541e1751fe0fe9e5c46f59d130b7de5733
Instruction Fuzzy Hash: 3611A076A00715ABDB21DB99C980B5EF7BCEF88750F550495DD41EB200E730AD11CB50

Function 037D7330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42ad55072603ffa0809fa246eaa94e261061dc3a8f5389a8b465a6e8b383e6d
Instruction ID: d30188efb864ab27f39874c3d43822394376cb30c42daa83ea93e62b9d98289c
Opcode Fuzzy Hash: a42ad55072603ffa0809fa246eaa94e261061dc3a8f5389a8b465a6e8b383e6d
Instruction Fuzzy Hash: 2E11AC71600794AFD725CFA9C841BABB7F8EF48314F054869E985CB610E735EC00DBA1

Function 0380F2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f7cf1c64bbe5cff1751847734c28cd58789eefce1fc5befe9154bb8f93eeb4
Instruction ID: 55ac5514ba18a1ef157c287c24a65fb478cc12257023488e5b4cff8179ce3217
Opcode Fuzzy Hash: b9f7cf1c64bbe5cff1751847734c28cd58789eefce1fc5befe9154bb8f93eeb4
Instruction Fuzzy Hash: 1611C276A007489FC720DFA9C844BAEB7A8FF84714F1940AAEA01EB681D679D941C760

Function 038772A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: b98dbe713c19c7ab4b7d62362ccd8308f5281cb278486afa5807e91cfbdd9861
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: 2101D679140605BFD711DF95CC94E62FB6EFF44390B440965F214865A0C721ECA0C6A0

Function 037DA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: fb3bba32c31c440e47f1a1b3f3ec00b145f6c3b6a7cc44dd1e012f3b0061db98
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 3901D272505B119BCB70CF16D840A36BBB9FF89B607048A6DFC958F680D731E820DBA0

Function 037E6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690bacf958aee3ff5c123fe9f954aa7855dbd0828c825287bbf045f7fdd14dc3
Instruction ID: d3dd53201b68ca50eba5325a903966edc0ae1e313c9964a66e030f40028571e9
Opcode Fuzzy Hash: 690bacf958aee3ff5c123fe9f954aa7855dbd0828c825287bbf045f7fdd14dc3
Instruction Fuzzy Hash: 70115E74541228ABDB65EBA8CC51FE9B778AF08710F5045D4A314EA1E0D7709E81CF85

Function 037E208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 04076e3d3799e2e2cad74e7d48338889d1015dc99f6794cbf3690ac60fd442ce
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 380124326002108BDF10EAA9D880BA2B76EBFC8700F1948E5ED01CF396DA71C881D3E0

Function 037DC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 892c2ca4458bb5450f0674134b3ca3327809ea7e8dcb8efa41f647dca6b769ac
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 1E01D8361007499FDB22D6AAD800EA7B7FDFFC5254F084459A646CB640DA70E406C791

Function 038220F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c474a1bb4a2f0910effb3f6051b583dcd3c4645ca5933a0c363ff5e51735de78
Instruction ID: 455b42aa18cfb4c45e7ac3cb45dc359a07fefc4a02cfd431fff3372d9e37c493
Opcode Fuzzy Hash: c474a1bb4a2f0910effb3f6051b583dcd3c4645ca5933a0c363ff5e51735de78
Instruction Fuzzy Hash: 22116D35A0125CEFDB05EFA8C850EAE7BB9EF44344F004099F902DB250DA35EE51CB91

Function 037D9353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: fec1f3587705576ebd735f14a60efb1a7b8216b14a4738b723409500092c9fc2
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: 9D11AD32900B02DFD721DF15C880B22B3F4BF49762F1A886CE6994E9A6C374E880CB50

Function 038033A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: 7a75f8e277aeb9b0f69be6b1abea4a60b41d50d08955d5d3b1f4a25b4ddd47b4
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: 4B01D63A700605ABCB52DAEADC00E5BBB6CAF94640B1504A9B915DF1A1EB70DA11C760

Function 0381D1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: 4c7b261829f0fcf6f1ca5a621cc06561b23df0c43b3bd1aa49b173b76dccdfa2
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: AD01D476A01244DBDB11DAE8E800F75B3ADAB84624F1441D6FE39CF380DB34E955C792

Function 037D826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc3abf2ed2219a16304bace869c07d38bdb173ffb89a3c12ed7743f46ded081
Instruction ID: b1e223ef5e34e25824997f703693c7383be21dcd3ee24c2c8005b883259c7a43
Opcode Fuzzy Hash: abc3abf2ed2219a16304bace869c07d38bdb173ffb89a3c12ed7743f46ded081
Instruction Fuzzy Hash: C401A735B00608EBC704EBAADD049AEB7B9EFC4220F1940A99902DB645EE70ED01C692

Function 037FE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: a319ad4e02b7244362c9bfa99fb14b4b3b87cd30835d288fa28a3adb731f0c3d
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: FE0196B22046889FD322C65CCA08F26B7E8FB85750F0D00A1EA05CBBA1C768DC40C266

Function 0389F367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a753593d24208a2d6bafc65a1f756f75cec63d4ab8f1883548db551d4d9f13
Instruction ID: 84748ddec128dee210cb54de2556084398db375c27bec947accd470eed53f83e
Opcode Fuzzy Hash: f6a753593d24208a2d6bafc65a1f756f75cec63d4ab8f1883548db551d4d9f13
Instruction Fuzzy Hash: 8E018475A10358ABDB14EBE9D815FAFBBB8EF84704F0440A6F500EB380D6B4D900C7A5

Function 0380BBA0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24f52cdb8288cb79fc50fb6bee831d4ad8badaeb1e95628220fc13d97c47883
Instruction ID: 8fd406cf2bf665aa310557cc732e1eea7491dd38547e296c751099f2c13f77b2
Opcode Fuzzy Hash: a24f52cdb8288cb79fc50fb6bee831d4ad8badaeb1e95628220fc13d97c47883
Instruction Fuzzy Hash: 6D017177900128DBCB69CF89C9A0BA9B7A5EF44710F1900F9D806E7380DB71EE10DB94

Function 038A972B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94

Function 038B5636 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57bfdc75ea45e7ac96476e8642742a3be046ce27d7a94a6f22a5bc32c7b4bac2
Instruction ID: e52a11192e57edd63604b6f57c6c13742af2653e14124a00a26022d92fbd2773
Opcode Fuzzy Hash: 57bfdc75ea45e7ac96476e8642742a3be046ce27d7a94a6f22a5bc32c7b4bac2
Instruction Fuzzy Hash: CF118078D00259EFCB04DFA9D444A9EBBB4FF18304F14809AB914EB340E774DA02CB65

Function 037DC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 77cbad51799f6244bee3d16300aa24b3add8016390c9829fb49f5023c3f7159b
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 32F0FC772447239BD733D6594884B6BA5B58FC9A64F1A0035E3099F644C9648C01E6D2

Function 038B5152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7848ff11d654751d88a1392a62ccc37f7bde4b4e9e07219aa6a85aa823c9aa6f
Instruction ID: 59b0c35cee8f56de82476ef439bf0e67d82a02bc7e4f10faeb821a5327673003
Opcode Fuzzy Hash: 7848ff11d654751d88a1392a62ccc37f7bde4b4e9e07219aa6a85aa823c9aa6f
Instruction Fuzzy Hash: 10012C75A1021DAFDB04DFA9D9519EEBBF8FF49314F10409AE900FB340D674EA018BA1

Function 038B50D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3181e5d0e8468142e875d0be6f34fff6dfde15033711826db6e20d148d14f534
Instruction ID: 2c09fe1e1301276fbfd98fedc16e95fefa39b39537116a34f18d9bf137a6d486
Opcode Fuzzy Hash: 3181e5d0e8468142e875d0be6f34fff6dfde15033711826db6e20d148d14f534
Instruction Fuzzy Hash: 0C012CB5A0031DAFDB04DFA9D9459EEBBF8EF49314F50409AE500FB380E674E9018BA1

Function 038B5060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e90c06b75f895238dbe196193941574f9bf8fb3501afbb77addf7e0ff4360ba
Instruction ID: 21677b2b8a7dcab3012cb56e179bb5cce6a6ae69d2c9a7babde49d0dd6f2d44b
Opcode Fuzzy Hash: 1e90c06b75f895238dbe196193941574f9bf8fb3501afbb77addf7e0ff4360ba
Instruction Fuzzy Hash: 70011A75A11259ABCB04EFA9D9419EEBBB8EF49314F10409AE901EB341D674AA018BA1

Function 0380C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: afedd8571761170b52a0d10c0c77e54fbfbaaaeb50e72f50edab0936fec4b6a0
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 24F0C2B2A00614ABD324CF8DDD40E57FBFADBC0A90F088169E515CB320EA31ED04CB90

Function 03815734 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: da7fd71bd26954f922e204da3d53fc0a0c6bb7bb70321efadd157416fa5f7c09
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: 34F0FF73A01214AFE319CF9CC841F6AF7EDEB86650F0940A9D500DF230E671DE04CA94

Function 0389F78A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7f1fa4b3323d3075fd54c786fab6e60f6b117d6800b7281c1ef9ad9b6f8bf5
Instruction ID: f861771276aae335ce21a353f5921ba6ea163db78d0e673c0f77b135d558fdc6
Opcode Fuzzy Hash: 1d7f1fa4b3323d3075fd54c786fab6e60f6b117d6800b7281c1ef9ad9b6f8bf5
Instruction Fuzzy Hash: 34014074E0034DAFDB04DFA9D445A9EBBF4EF08304F04405AA905EB350E674DA00CB61

Function 0389F2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254917983f9626862596595109d5b5f1a79ba5ccdab328528ed1b2dbf9ebf8a6
Instruction ID: 86d79460b8f2bc99525aa740d0c10f0820bc60fe9abf31e57699a49131a8ec68
Opcode Fuzzy Hash: 254917983f9626862596595109d5b5f1a79ba5ccdab328528ed1b2dbf9ebf8a6
Instruction Fuzzy Hash: 9FF0A476A10358ABDB04DBF9C405AAEB7B8EF48710F04809AE501EB280DA74D9019761

Function 038B61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71efee67e9ce9235b017dab0716bbbe0923179ab3e20691fb260a4aba8cd56a2
Instruction ID: c84f0b28dd758e28f20008e27f608d935c1afcdf4139b047b86772c61ce6f4f6
Opcode Fuzzy Hash: 71efee67e9ce9235b017dab0716bbbe0923179ab3e20691fb260a4aba8cd56a2
Instruction Fuzzy Hash: C2018471A002599FDB04DFA9D445ADEBBF4EF44314F140099E500EB380D774DA01CB65

Function 0381724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: d5bb74ded401f45ac8613f7af4a8cf2b3a1c688b30d632f400904859115cc11b
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: A3F0F675A013696BEB10DBFD8940FAAFBAC9F84710F0885D9B902DB640D630EA51C750

Function 038B53FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be76a02b3affe6cf4615f95ea7ff6b3e55f55cfaf9cf3deaa985c18745a621d
Instruction ID: 6b40daa3c1b47ad4ece181937b586a68986e12eb1214168254ba40ac79c700b3
Opcode Fuzzy Hash: 4be76a02b3affe6cf4615f95ea7ff6b3e55f55cfaf9cf3deaa985c18745a621d
Instruction Fuzzy Hash: 33011EB4E0020A9FDB04DFA9D545B9EFBF4FF08304F1481A9A519EB381D6749A408B91

Function 037DC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a067ee3d9275c40c945706fad37d668dafea1ea9f1a0e8fc52c61017021bc52f
Instruction ID: 4c8a439f8d416f93dffcc3f391e49465dd07fe71bfcf7da4da75767a683875da
Opcode Fuzzy Hash: a067ee3d9275c40c945706fad37d668dafea1ea9f1a0e8fc52c61017021bc52f
Instruction Fuzzy Hash: 70F0B4B1204366ABF715D6599C02B6273BAEFC4651F29807AEB058F2D1FA72DC01C3A4

Function 038B3749 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction ID: 9f3588a382e46752dea1691de82ac25fb86cbfda87e8bee6993df941115c62b2
Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction Fuzzy Hash: 36F04476540704BFE711EBA8CD41FDA77BCEB04714F0001A6B555DA2D0E670AE44CB95

Function 0388437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 7e57c7441f563fcd8bc429869613aa97d7203a78fdf0fbf3be9a99b812c51201
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: E0F0BE3B341A1357DB76FBAB9820F2BE299AFD0B10B4906AC9411CF680DF60D8008790

Function 0389F3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec555030faf836c1e04a2e6908c7d23c95bc11c98cf7ff6d20d556c2320757e
Instruction ID: 45c69c9f7fbd476c1f886faf0ffe5e8dac720c0154d8afedf5032474cf430412
Opcode Fuzzy Hash: 9ec555030faf836c1e04a2e6908c7d23c95bc11c98cf7ff6d20d556c2320757e
Instruction Fuzzy Hash: 61F08C74A00208EFCB04EFE9D505A9EBBF4EF08300F4040AAB945EB381D674DA00CB54

Function 037D92FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a623d8b8b1bdce137ff635cc23a3b4567fd48285511894356b095880c209177
Instruction ID: e235633862ec91e99c8f63a13587545bea90e0c7c05e4d0d7493413c788cff05
Opcode Fuzzy Hash: 9a623d8b8b1bdce137ff635cc23a3b4567fd48285511894356b095880c209177
Instruction Fuzzy Hash: FEF0FA32200740AFDB31EB09CC08F9ABBFDEF89B00F080559E64283590C7A0A908C660

Function 037E47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8819ebbe9d6ce6de9bdf3b07bc80619b37a5ea1664a320efe86204e463cf69eb
Instruction ID: 65da94dc4dc104eef821b3c32bf084ea8b58964c7c0fe61a687c218c285dc6f7
Opcode Fuzzy Hash: 8819ebbe9d6ce6de9bdf3b07bc80619b37a5ea1664a320efe86204e463cf69eb
Instruction Fuzzy Hash: B9F0E2319167E49FD732CBABC054B61B7E89B08730F0D89AAD49987601C724D880E651

Function 0389F6C7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1134d5204a25d34e24d502d53310cf5747231f81af17757d9d9a6fb73a4d4935
Instruction ID: 8fb8aaa9d4ccc197f2d0cc22432e20f3409aff18361ac9399f98bcff92c92a17
Opcode Fuzzy Hash: 1134d5204a25d34e24d502d53310cf5747231f81af17757d9d9a6fb73a4d4935
Instruction Fuzzy Hash: FFF06275A10348EFDB04EFE9D805E9EBBF4AF44304F044099E501EB381D674D900CB54

Function 038A0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0667377d92389787fa895b03aededc79f11c3aa1eadf6b80b85057e83d4badf
Instruction ID: b359df245415b5f01666ec75eebb5d0c0a19ddd25519a24c59e4f1a5a732fcce
Opcode Fuzzy Hash: d0667377d92389787fa895b03aededc79f11c3aa1eadf6b80b85057e83d4badf
Instruction Fuzzy Hash: 6BF05CAE817FC857EF22FBBC78903D1BB589742014F4D10C6C4A2DB205D5748493C625

Function 038B539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 098b224c28a556c9caa765ad6f83aa6913b68724032e904bbc8a372ee2ce5e3e
Instruction ID: 819b8cde79150861dee01f8dd14fc26c3fdebf660c3b9eeae2a01908e8692bd7
Opcode Fuzzy Hash: 098b224c28a556c9caa765ad6f83aa6913b68724032e904bbc8a372ee2ce5e3e
Instruction Fuzzy Hash: F1F05E74A1074DAFDB04EBB9D555EAEBBB4AF48304F148099E501EB381DAB4D901CB25

Function 038B5283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6e8ea6dd165d1c2ceae60ce48c131481fbc088a52d134cf0f6444d584555ca
Instruction ID: ea8e5bb814bac7237275abe38f878255032936b1deac6d0dc294b5094be32e43
Opcode Fuzzy Hash: 9a6e8ea6dd165d1c2ceae60ce48c131481fbc088a52d134cf0f6444d584555ca
Instruction Fuzzy Hash: 83F0BE74A11709AFDB04EBF9D515EAEB7F4BF04304F004498A941EB381EA74D900CB50

Function 038B52E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36979b6582877e3b7e56474ba690bc574e56bae24d10ca455cc38f2cef0b7795
Instruction ID: 5fa4a4784faa5e6cf600dd5b984681cf9d700409572866047091d25d1dbaaa64
Opcode Fuzzy Hash: 36979b6582877e3b7e56474ba690bc574e56bae24d10ca455cc38f2cef0b7795
Instruction Fuzzy Hash: 7FF0BE74A10349AFDB04EFB9E505EAEB7B4AF48304F044098A501EB380EA74D900CB24

Function 03822619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 197c9ce1f62f4500fdd0369dd3517d1c6e25e00e8da82b251422bdba0c6c5f6f
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 66E092723006102BD711DE99CC84F577B6EAF82B10F0404B9B5049E251CAE69C5982A4

Function 038B5341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec9c54ed207917804df07c6d2f4f6d92b77a81757c866b7b2fc867083199e9c
Instruction ID: 1a8b3a28bff93f38d8d537f0bbd00c23848dd5f5eeaa8705869c87a9e1200dc2
Opcode Fuzzy Hash: cec9c54ed207917804df07c6d2f4f6d92b77a81757c866b7b2fc867083199e9c
Instruction Fuzzy Hash: 5AF08C74A01249ABDB04EBE9D955E9EBBB8AF4A708F540099A502EB3D0EA74D9008725

Function 03817208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 832fc142ec3ceb7b6e3ff1bcfcd07c0330ef4cbac0936150da52cf954db9b235
Instruction ID: 1cd95077b17e6cf93f4196130273986b852c3cc7a82a550bb13a491eba9ba1cc
Opcode Fuzzy Hash: 832fc142ec3ceb7b6e3ff1bcfcd07c0330ef4cbac0936150da52cf954db9b235
Instruction Fuzzy Hash: 51F027759116849FD721CB9AC084B51B7ECAB00730F0C44E0FC09CF601CB28C8C4C250

Function 038B5227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 577d53c91642eef42a35058ad31dc5f4715efd1677290ba97483869e97150c15
Instruction ID: 5712ad04e444342c74599005d682971fd1bd1da8df37f34517f52a58de7ffeaf
Opcode Fuzzy Hash: 577d53c91642eef42a35058ad31dc5f4715efd1677290ba97483869e97150c15
Instruction Fuzzy Hash: 8AF08274A15359ABDB04EBF9E515EAEB7B4AF44704F040098A941EB381EA74D900C755

Function 038B51CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4712d6e5bb3d6ebc3a7086c01874d7fd909f29a4564cc691384ad3b7c4a69e
Instruction ID: 75dc848da71dada93a2e397c722f335e9c0fc2422103c57b2d9406115545e97c
Opcode Fuzzy Hash: 6d4712d6e5bb3d6ebc3a7086c01874d7fd909f29a4564cc691384ad3b7c4a69e
Instruction Fuzzy Hash: 83F08274A1125DABDB04EBF9D515EAEB7B4AF04308F040099A941EB3D0EA74D900C765

Function 0389F72E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54605915bb4ef6ea18221828fc21ce870a3ecdcaa05b574858c28783586934ea
Instruction ID: 396a80496e82cb61eefddc8ba85b3c40dda5bdafbcf81a2f8f72030e45dcf81d
Opcode Fuzzy Hash: 54605915bb4ef6ea18221828fc21ce870a3ecdcaa05b574858c28783586934ea
Instruction Fuzzy Hash: EEF08275A01348ABDB08EBE9D959E9E7BB4EF08704F040099F601EB280D974D9418725

Function 037E0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: ece58771bf4ac8c999ece40797925ac74e006b44fdf506c5ac3cbe00f89d97ed
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 0DF0E53E204340DFEF15CF56C050A957BA8EB45350B0400D9F8428B300D775E982DB80

Function 038B37B6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction ID: b2f93ce65194f6318b25dd7785708c163a9b199892e340d932da5dffea01675e
Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction Fuzzy Hash: BFE06DB6210214BFE764DB98CD05FE673ECEB00720F1402A8B125D71E0DAB0AE40CA64

Function 0389B3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: 9a8df2514118ab2ba280a2a5f00ceb7897cfb57e8dbd2d721f587111bfaf3b8d
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: ADE0CD35245215FBEF239A40DC00F657755DB40790F144072FB089E690C5719D51E6D4

Function 037D823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 01f151a8c20261115aef9391858ab9c4e5618ac8ebfc3eca14303c1a4a56328e
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: AFE08C35100A20EEDB31AF59DC00B517AB9FF54B10F194CA9F0814A0A48670A881DA46

Function 038692BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5614dc078a653cd2259833be53da3f4f48935747fcd3c44d003a3ce4b17fed3c
Instruction ID: 2623d6faa8805070b3a50c8dc3b1730d87cb367c384cc6e6c1b5e888be1741da
Opcode Fuzzy Hash: 5614dc078a653cd2259833be53da3f4f48935747fcd3c44d003a3ce4b17fed3c
Instruction Fuzzy Hash: 4FF0E534252B84CFE71ADF48D2E1B5173B9FB85B44F5404D9D4468BBA2C73AA942CA80

Function 037E2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2cfddaf1cbd2d1daff64e8459450dfa80d6df6846b7deb3a1a89ffd42788e7
Instruction ID: cb1eec16810c761abb778e1a6ccc0a5341e927cb8e6b6353a77d39c0cff2fdf2
Opcode Fuzzy Hash: 5a2cfddaf1cbd2d1daff64e8459450dfa80d6df6846b7deb3a1a89ffd42788e7
Instruction Fuzzy Hash: 21E08C322006546BC611FA5DED10F5A739EEF98360F010221F1509B690CA20AC10C794

Function 0381E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 1f1134bf0f3b4a0250e2815b7716bf90557d2e8bb3ebbb6bb340d4c33e91a1b7
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 93D0A7322046109FD771DA1CFC04FC333D8BB48720F060499F018C7150C360AC41C644

Function 037DA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 99e1b78e1ef8411c34b330abf8b5b93204780370fa527f71fcdfb44c1e7481dd
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 6BD0223331203197CF28D6506814F63AA25BB80A90F1A002C340AA3940C0058C42D2E0

Function 037F02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 03f6b436460fc25348e03216225aae78bf52dd59f47fb159de5d846c694beb35
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 7ED0C935252E80CFC61ACB4DC5A4B1573A8FB44B44F8944D0E501CBB22D63CD940CA10

Function 0386930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: b938972f0de67c12f7886d021b1a6c445206385e408b893a8bd9d72162b2adf8
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: 6FD01735941AC48FE727CB08C266B507BF8F785B40F8910D8E04287AE2C37C9984CB00

Function 0381C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: b91df277d91701042e37fe692801f44398a1f4e855e0845a5d5c8cb9832e39eb
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: C4C0123A290648AFDB12EA98CD01F027BA9EB98B40F010421F3048B6B0C631E820EA84

Function 03800310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: b1e95b6a0ad99b4a312dcd86176e72abe931d42e789f9ed99df311a05dec14d1
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: E5D01236100248EFCB02DF95C890E9A772AFBC8710F108019FD190B6508A31ED62DA50

Function 037E0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 487c58ee1a67016ff050d8380f7989338227ef71bfe55ce34ce7e2393de98f24
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: CDC0487A711A418FDF15DB6AD298F4977E8FB44740F1908D0E905DBB21E624F802CA10

Function 03824340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422a92da8dd023eb7fdd4b7e7e970d1a1916953be76609f95c4757c7dc9d228e
Instruction ID: 02933ec19cf9081e6228538e06d1f1d539a4bc6a8d49cb10ff5dad168c75ec3f
Opcode Fuzzy Hash: 422a92da8dd023eb7fdd4b7e7e970d1a1916953be76609f95c4757c7dc9d228e
Instruction Fuzzy Hash: 3A900231605804169140B1984884546401597E1301B65C051F142C564C8B148A5E63A2

Function 03823090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e956ba42b7169ff07b1a358a95ac361b4acabb24d474623728d670eb952975d
Instruction ID: 5d0301edac4cc7c05f0a8494fcb67fd655154942cc15318608f68fef330b39c4
Opcode Fuzzy Hash: 7e956ba42b7169ff07b1a358a95ac361b4acabb24d474623728d670eb952975d
Instruction Fuzzy Hash: 8C90022124140C06D140B19884147070016C7D1601F65C051B102C564D87168A6D76F2

Function 03823010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf67ab0d63f5a80d8c5838ab1296c824ea618d295e08e4496d297f6f66cc405a
Instruction ID: 0516f5e21c782f9d28d05319f6b6cd331a6e81509750d3c9bcd2a5f451dc9f72
Opcode Fuzzy Hash: bf67ab0d63f5a80d8c5838ab1296c824ea618d295e08e4496d297f6f66cc405a
Instruction Fuzzy Hash: 7790022120184846D140B2984804B0F411587E2202FA5C059B515E564CCA15895D6762

Function 03824650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d194ba08e1708d0a24c936c54e301f11e3a01236d767f1c220034d29b39ce8b
Instruction ID: d468ee046e8112b4bb175a1982b597934714e7989cca67f21ae5f71fa32f1dae
Opcode Fuzzy Hash: 5d194ba08e1708d0a24c936c54e301f11e3a01236d767f1c220034d29b39ce8b
Instruction Fuzzy Hash: 28900261601504464140B1984804406601597E23013A5C155B155C570C8718895DA2AA

Function 03822B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f00d85e6e456019fa2f545c699b94b1ba2f16a4452077931e5b88c7825f4d7
Instruction ID: 68ed8ef54a764936aa87fcf41919e5bda6fa0ad08d044c6abfa40fe3071260c0
Opcode Fuzzy Hash: a5f00d85e6e456019fa2f545c699b94b1ba2f16a4452077931e5b88c7825f4d7
Instruction Fuzzy Hash: 4290023120140C06D104B1984804686001587D1301F65C051B702C665E976589997172

Function 03822BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc23f7d8994bd674e7adf08ab5333ed1f84bc1382e566910cd0d859a4792f91e
Instruction ID: afc5489c3fe50ac09ccad2f9617bda0e6b8f8cd94c02e11b7c6bbfe6c7f9be3a
Opcode Fuzzy Hash: dc23f7d8994bd674e7adf08ab5333ed1f84bc1382e566910cd0d859a4792f91e
Instruction Fuzzy Hash: A390023160540C06D150B1984414746001587D1301F65C051B102C664D87558B5D76E2

Function 03822BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f7e67e98f3d00940e574abee5a3f0a972b14fbae4d97f889788fae3208a6a0b
Instruction ID: 9a263245a92d1de935de6ea25969f75751c5afbf769b10d1c5866a1deb8ae83a
Opcode Fuzzy Hash: 6f7e67e98f3d00940e574abee5a3f0a972b14fbae4d97f889788fae3208a6a0b
Instruction Fuzzy Hash: 1F90023120544C46D140B1984404A46002587D1305F65C051B106C6A4D97258E5DB6A2

Function 03822BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd289243eb782070cba2a8f73ce10a7aa32ca169f918945f42588e24cd48c19c
Instruction ID: f8256ee4507721db1352c5b0dcc74304cba03b423c5cf752d994dab32cda1ba0
Opcode Fuzzy Hash: bd289243eb782070cba2a8f73ce10a7aa32ca169f918945f42588e24cd48c19c
Instruction Fuzzy Hash: 2490023120140C06D180B198440464A001587D2301FA5C055B102D664DCB158B5D77E2

Function 03822AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b15949885dcbe7f72b6af3c3341d80d466162ccaa94297c3d5075a37f02c90d
Instruction ID: 82453de273d1819009f890439b606491ad94cb5f20741206397e3f5c0c9a74bb
Opcode Fuzzy Hash: 2b15949885dcbe7f72b6af3c3341d80d466162ccaa94297c3d5075a37f02c90d
Instruction Fuzzy Hash: F69002A1201544964500F2988404B0A451587E1201B65C056F205C570CC6258959A176

Function 03822AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bffad6dc40484411735a5a90abe9db3d67798f25527be6a67acdccb2c3fbcb8
Instruction ID: 40949c6e33ee4534d30ad4e91941c3f74b21a2eba0091c68ba5c46adc09f99df
Opcode Fuzzy Hash: 7bffad6dc40484411735a5a90abe9db3d67798f25527be6a67acdccb2c3fbcb8
Instruction Fuzzy Hash: DB900225211404070105F5980704507005687D6351365C061F201D560CD72189696162

Function 03822AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bbc79971777e5a4887417dc6c02ef6468da5e68178cdfc114ccd9106c6306e
Instruction ID: 6ccf16f5dfeafaa6ae4560dbca76cd1280f562b4eaf94e378b19a34a35b635fd
Opcode Fuzzy Hash: 49bbc79971777e5a4887417dc6c02ef6468da5e68178cdfc114ccd9106c6306e
Instruction Fuzzy Hash: 22900225221404060145F598060450B045597D73513A5C055F241E5A0CC721896D6362

Function 038239B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a012ad928ef5ef50cf63d59b09d137aceab2ed665f5e209b56063c224bbb472c
Instruction ID: c3a606dc6128702ebcdde83b3c187e17f30ba382c56e7f69c030fe09a7baa0b5
Opcode Fuzzy Hash: a012ad928ef5ef50cf63d59b09d137aceab2ed665f5e209b56063c224bbb472c
Instruction Fuzzy Hash: B890022124545506D150B19C44046164015A7E1201F65C061B181C5A4D8655895D7262

Function 03822F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a5c300685b27f58189f553629b85610be59fdfb1d5af43027245d40d92145b2
Instruction ID: 1e08cd30f8a3801f2749563d1c2203c4e1f6fa2a4e529c94c7b91024f510f5e1
Opcode Fuzzy Hash: 6a5c300685b27f58189f553629b85610be59fdfb1d5af43027245d40d92145b2
Instruction Fuzzy Hash: FE90023120180806D100B198481470B001587D1302F65C051B216C565D8725895975B2

Function 03822FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec33fb95c9c7986065ea36fb5855fd48505755a1688321974d26bceef855b04c
Instruction ID: b458e5dd68ad271847b3923ca43a56c40d70eab778423f64a8b48844fb5e7346
Opcode Fuzzy Hash: ec33fb95c9c7986065ea36fb5855fd48505755a1688321974d26bceef855b04c
Instruction Fuzzy Hash: 4190023120180806D100B1984808747001587D1302F65C051B616C565E8765C9997572

Function 03822FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449fc769c75dc4b450ffd8b94faf8c9e32c84d7649155d9cb9e19ad098b714ce
Instruction ID: 5817dc169d261edca3e8aed8595350173bc292a9e2c7f9ac5be4e4cee6ecdc63
Opcode Fuzzy Hash: 449fc769c75dc4b450ffd8b94faf8c9e32c84d7649155d9cb9e19ad098b714ce
Instruction Fuzzy Hash: 0B900221601404464140B1A888449064015ABE2211765C161B199C560D8659896D66A6

Function 03822FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f5dc5e9bf6de977a5a4961ae8f5d915a3902efe48c251b0b0a48a72a3a3e896
Instruction ID: b3bc35574f01daeb034b4c4bef85c4094e7881b020af9bc0f2af24228e276cc8
Opcode Fuzzy Hash: 9f5dc5e9bf6de977a5a4961ae8f5d915a3902efe48c251b0b0a48a72a3a3e896
Instruction Fuzzy Hash: CC900221211C0446D200B5A84C14B07001587D1303F65C155B115C564CCA1589696562

Function 03822F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9994afa43ba61fb156058250f24dea97b0792a36789c64344c007cce83f1418
Instruction ID: 6cd10d5ed0c6ca4c567d1088693518c5e7bce286e846e14ffb07aa7711c7d846
Opcode Fuzzy Hash: f9994afa43ba61fb156058250f24dea97b0792a36789c64344c007cce83f1418
Instruction Fuzzy Hash: 6E90026134140846D100B1984414B060015C7E2301F65C055F206C564D8719CD5A7167

Function 03822F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4e5cbb415d72b98a7d82bf05afa4bcaabd7b3f5030916f8c527c63d71abdc0
Instruction ID: adbfdfb07e63033e0dfed1e2d4b4444c81fdf6b36bdba8f58b06134419ac30b2
Opcode Fuzzy Hash: 8d4e5cbb415d72b98a7d82bf05afa4bcaabd7b3f5030916f8c527c63d71abdc0
Instruction Fuzzy Hash: F390026121140446D104B1984404706005587E2201F65C052B315C564CC6298D696166

Function 03822E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8dbd1ca45b9ede5f36f8f056991094b3fd676332f000997f662d91d6ac423e
Instruction ID: 20abfbdc424468485302d72007b45fc67911ec7932ba8bc1f3acd3c54f8355ce
Opcode Fuzzy Hash: cf8dbd1ca45b9ede5f36f8f056991094b3fd676332f000997f662d91d6ac423e
Instruction Fuzzy Hash: 9990022160140906D101B1984404616001A87D1241FA5C062B202C565ECB258A9AB172

Function 03822EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e533f9d9ad49493df9055a3e3dd8b12f09a8321ed44e276c4745691508a7b2
Instruction ID: a7ddf7f1f1b9b9003d2afefbfa0da9a639a087e523c75283ccfb2cb1b887e7f2
Opcode Fuzzy Hash: a0e533f9d9ad49493df9055a3e3dd8b12f09a8321ed44e276c4745691508a7b2
Instruction Fuzzy Hash: BB90027120140806D140B1984404746001587D1301F65C051B606C564E87598EDD76A6

Function 03822EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a549904bafca0fe1df5d4d8cdb3ea7d669ba0210a5445f57b102ed0c559399eb
Instruction ID: a0a5c12372f1c62b54b8b4263c2c5803aa0538da2a57618c2a1d74290b615d58
Opcode Fuzzy Hash: a549904bafca0fe1df5d4d8cdb3ea7d669ba0210a5445f57b102ed0c559399eb
Instruction Fuzzy Hash: 7790026120180807D140B5984804607001587D1302F65C051B306C565E8B298D597176

Function 03822E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4a430404425709dd8998737bcdc02fce7f01cb41024964931b52c12111b796
Instruction ID: 50ad105d2413c953d88b2edf84ef26555c87770f8a344b2ed98c5ccb815dde7e
Opcode Fuzzy Hash: 4b4a430404425709dd8998737bcdc02fce7f01cb41024964931b52c12111b796
Instruction Fuzzy Hash: A290022130140806D102B19844146060019C7D2345FA5C052F242C565D87258A5BB173

Function 03822DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a964b52bf0df8e8896c98820eef8d1e2d49207db1f7f8e150c42c06d802392
Instruction ID: 75051e8180d186b435b43479ec6285e40d5a7d83442afae87a76b5c11081839f
Opcode Fuzzy Hash: 94a964b52bf0df8e8896c98820eef8d1e2d49207db1f7f8e150c42c06d802392
Instruction Fuzzy Hash: EA90023124140806D141B1984404606001997D1241FA5C052B142C564E87558B5EBAA2

Function 03822DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f1d84916dda56add535a3bcccd154598e070364ffcc71c0b2371af96a047c3
Instruction ID: 521c774d1408f5fc0d1c631d6157c11cd5b8cac095db613ce320d458664a76eb
Opcode Fuzzy Hash: 58f1d84916dda56add535a3bcccd154598e070364ffcc71c0b2371af96a047c3
Instruction Fuzzy Hash: C2900221242445565545F1984404507401697E12417A5C052B241C960C8626995EE662

Function 03822D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c62481653171c2c7e1ed311935c1411378423fc91da4b529d0dd78e87b1b6cd7
Instruction ID: 513b1a5bf854536a6eed0133d9cafc3b27839250c200a61ae100b7a72ae55b5c
Opcode Fuzzy Hash: c62481653171c2c7e1ed311935c1411378423fc91da4b529d0dd78e87b1b6cd7
Instruction Fuzzy Hash: 9790022120544846D100B5985408A06001587D1205F65D051B206C5A5DC7358959B172

Function 03822D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d9a9bf522630c2c89cc8e27efd4c1c9b888dccc43f5b3dca185dfc0c145133
Instruction ID: 26c5ddabd6ff74bb735eda02e809006ce83d958dcfd4547f963fabebf34e0261
Opcode Fuzzy Hash: 05d9a9bf522630c2c89cc8e27efd4c1c9b888dccc43f5b3dca185dfc0c145133
Instruction Fuzzy Hash: 7E90022921340406D180B198540860A001587D2202FA5D455B101D568CCA15896D6362

Function 03823D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11766eab658188c65c22601d957b05fc9dafcac1bd70e2eec558c0679d8d588b
Instruction ID: cc1604b8e8db0aaabfcec04dc20decd84496ca224fdbcd6f391ec25d76a2a66d
Opcode Fuzzy Hash: 11766eab658188c65c22601d957b05fc9dafcac1bd70e2eec558c0679d8d588b
Instruction Fuzzy Hash: 33900231202405469540B2985804A4E411587E2302BA5D455B101D564CCA1489696262

Function 03822D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910273071af3b41fed486d51bf898b4754f51927c57055c6a22c7fdb6d756349
Instruction ID: 7280a328ce143f77bab8fac0ec502b124dcdf63ee647b751c043fc6ac8c728a5
Opcode Fuzzy Hash: 910273071af3b41fed486d51bf898b4754f51927c57055c6a22c7fdb6d756349
Instruction Fuzzy Hash: 2C90022130140407D140B19854186064015D7E2301F65D051F141C564CDA15895E6263

Function 03823D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36423653d15ab19067e161752e6658616dd77ea0b38ab78caf63b1462af679ea
Instruction ID: 7c76e0f4e2a8ff3f7eaf1b611164e965803e31219c5f38c4e445377688210d1c
Opcode Fuzzy Hash: 36423653d15ab19067e161752e6658616dd77ea0b38ab78caf63b1462af679ea
Instruction Fuzzy Hash: 6990023520140806D510B1985804646005687D1301F65D451B142C568D875489A9B162

Function 03822CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9164ad01b0ce60988e8fdae9abe1c08e549fe834262de2db61c02c6740bd567
Instruction ID: acb619f717413341f56aaddc442fef415a2b2307a01581777af41a338e972922
Opcode Fuzzy Hash: c9164ad01b0ce60988e8fdae9abe1c08e549fe834262de2db61c02c6740bd567
Instruction Fuzzy Hash: 3490023120140806D100B5D85408646001587E1301F65D051B602C565EC76589997172

Function 03822CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7391f78117fe0de06dacefcde32d147c448149d97871e7e258cbc5e9afbb565
Instruction ID: 5738b2158a369fe04dd5cc3bfe8b17009e09bd6438c132da08ef15bb0dda0afc
Opcode Fuzzy Hash: e7391f78117fe0de06dacefcde32d147c448149d97871e7e258cbc5e9afbb565
Instruction Fuzzy Hash: BF90022160540806D140B1985418706002587D1201F65D051B102C564DC7598B5D76E2

Function 03822CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad972fb76e10437adcffd26fea3d9f4f9809c66008dc78e1f4271e02fd5b60d1
Instruction ID: 1c58a0e346e628aa919c186c442faf3225ee18770f7b205608a23cbcac1fec15
Opcode Fuzzy Hash: ad972fb76e10437adcffd26fea3d9f4f9809c66008dc78e1f4271e02fd5b60d1
Instruction Fuzzy Hash: 5990023120140807D100B1985508707001587D1201F65D451B142C568DD75689597162

Function 03822C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 604cdfbaf3117f33d4a4fc1fa354bbcc3af34fb906555c641285f1b8e8926ba9
Instruction ID: 8c2fdb8d448f6d2e54e6819ab129e5fb1b30f9b18b5151858280e6322c956b45
Opcode Fuzzy Hash: 604cdfbaf3117f33d4a4fc1fa354bbcc3af34fb906555c641285f1b8e8926ba9
Instruction Fuzzy Hash: 4B90023120140C46D100B1984404B46001587E1301F65C056B112C664D8715C9597562

Function 03822C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 56b9a1fcfce730fb11ace4b505265afdab07fd90a9fe4f63e4cfd8e7ade2de08
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 03822890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0382293C
___swprintf_l.LIBCMT ref: 0382295E
___swprintf_l.LIBCMT ref: 038229A3
___swprintf_l.LIBCMT ref: 0385A52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 0385A54E
ffff:, xrefs: 0385A504
::%hs%u.%u.%u.%u, xrefs: 0385A527
:%u.%u.%u.%u, xrefs: 0385A5B8

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: b5a5cc6d27d9b624b2b80c4c915de244efe526c91c39abd065c8908510dde508
Instruction ID: f3c8206c9cba22c2e2e0d6d8ab9d962e3eab714a45119fa0e1437a00faa4fb6b
Opcode Fuzzy Hash: b5a5cc6d27d9b624b2b80c4c915de244efe526c91c39abd065c8908510dde508
Instruction Fuzzy Hash: 60510AB5A0012ABFCB65DFDC88D097EFBB8BB0920075486E9E8A5D7641D234DE40C7E0

Function 03817630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03854725
Execute=1, xrefs: 03854713
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03854655
ExecuteOptions, xrefs: 038546A0
CLIENT(ntdll): Processing section info %ws..., xrefs: 03854787
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03854742
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 038546FC

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: d7e1e3fa999654ad1959b35a3c0de2dc6a7d0cc51fad2af9655baa9ceaa38745
Instruction ID: a5217771fc543b0c1513ad709c009220b711a550a7a0cd3a4cb499a6f9c17ddd
Opcode Fuzzy Hash: d7e1e3fa999654ad1959b35a3c0de2dc6a7d0cc51fad2af9655baa9ceaa38745
Instruction Fuzzy Hash: BA51E675A1031D6AEF10EAE9EC95BAD77ACAF04304F0404EDF505EB181EB709A65CF51

Function 0382B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0382B6BF

Strings

+, xrefs: 0382B65A
-, xrefs: 0382B650
0, xrefs: 0382B66F
0, xrefs: 0382B695

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: 37dafc96a6c536ad7f2ce048236a8239fc4cf17cbe2d427e2773fd8adadf1f4c
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: C881AC70E166699FDF26CEE8C8917AEBFA2AF45350F1C41DAD861E7291C73488C0CB51

Function 0380F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 038502BD
RTL: Re-Waiting, xrefs: 0385031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 038502E7

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 8722878d8dd29ef69cbbd5df61ee0261ac148b17bafa84472187288119220307
Instruction ID: c1258ff442f49023ddb7da1a292c87691360aed4b6046006a5e8da739709e209
Opcode Fuzzy Hash: 8722878d8dd29ef69cbbd5df61ee0261ac148b17bafa84472187288119220307
Instruction Fuzzy Hash: ACE1BE706087419FD765CFA8C884B6AB7E0BF84318F184A9DFAA5CB2E1D774D845CB42

Function 0381BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03857B7F
RTL: Resource at %p, xrefs: 03857B8E
RTL: Re-Waiting, xrefs: 03857BAC

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: e1593e867752de05899e80b40ee1d15e33c495d18bd9d271a1a10219a842b595
Instruction ID: b3d1ab7a5ddb1411d0d73c7f5308069b46bc5d65942f2b421b72635b84e6b504
Opcode Fuzzy Hash: e1593e867752de05899e80b40ee1d15e33c495d18bd9d271a1a10219a842b595
Instruction Fuzzy Hash: FE4126353007429FCB25CEA9D840B6AB7E9EF88710F140A9DF956DB380DB30E415CB92

Function 0381B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0385728C

Strings

RTL: Resource at %p, xrefs: 038572A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03857294
RTL: Re-Waiting, xrefs: 038572C1

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: e43237e4a07aab2bd88e3eb9fd3805e1848be4a0fafed7b1ebae4e8fc7daa183
Instruction ID: ad4d6c2244d098b128c3c455ba9fd718dd04a22648af5176362bed49e45221d9
Opcode Fuzzy Hash: e43237e4a07aab2bd88e3eb9fd3805e1848be4a0fafed7b1ebae4e8fc7daa183
Instruction Fuzzy Hash: 80411F35600246ABC721CEA9CC41F6AB7A9FF84710F148699FD56EB240DB21E852CBD1

Function 03827D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 03827E8B

Strings

+, xrefs: 03827DE8
-, xrefs: 03827DDD

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: 833e791ac330a74c721fafe11637955bc3fb764b4ac74e3c387142e7e3bcd31c
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: B991D774E042399BDF24DEEAC8816BEBFA5AF44720F18459AF865E72C5D73099C0C721

Function 037E9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 037E9191
@, xrefs: 037E9175

Memory Dump Source

Source File: 00000004.00000002.2063083233.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37b0000_wmplayer.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 71ff33244320c4faec76923fc2b9543de212ea8260bb4993ba474763382252cb
Instruction ID: 22dfef90f875477d69cf2be6f76e0e7f722d74f3fdad2e89698404a32172b323
Opcode Fuzzy Hash: 71ff33244320c4faec76923fc2b9543de212ea8260bb4993ba474763382252cb
Instruction Fuzzy Hash: E3813D76D002699BDB21DB94CC44BEEB7B8AF49710F0445DAEA19F7680D7309E80CFA0

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NOVA ORDEM.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_NOVA ORDEM.exe_183265296818dedab7d0b93d41b13e51f02317e6_4b8a3282_5d79ce14-7b1c-47f3-9856-1b13ca046127\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6844.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69FA.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A2A.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Possible Origin

Network Behavior

Statistics

CPU Usage

Windows Analysis Report
NOVA ORDEM.exe

Function 00007FFD9B885D7F Relevance: 1.6, Strings: 1, Instructions: 350
COMMON

Function 00007FFD9B88497A Relevance: 1.6, APIs: 1, Instructions: 139
memoryCOMMON

Function 00007FFD9B880DA5 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Function 00417C63 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 0042B6B3 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Function 038235C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Function 03822B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 03822DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 03822C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 00417CDF Relevance: 1.5, APIs: 1, Instructions: 42
libraryloaderCOMMON

Function 00417CE3 Relevance: 1.5, APIs: 1, Instructions: 41
libraryloaderCOMMON

Function 0042B9C3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Function 0042BA13 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Function 0042BA63 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Function 03822C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE